Test your AV

[Paul Adams]

This is a poll of sorts, not to find out what AV people are using, but how it performs with detection of a test virus.

The idea behind this is to have the ability to verify your AV is working correctly without having a risk of infecting a machine.


All you need to do is visit http://www.eicar.org/anti_virus_test_file.htm and at the bottom you will see a table of download links for a HARMLESS TEST VIRUS SIGNATURE.

1. Select to save the .COM file first and make a reply to this post with what AV (and version) you are running and when & how it prompted you about the presence of the virus.

2. Then repeat the test by saving the .ZIP file to verify archives are examined correctly too.


Do not attempt to run the executable or manually open the ZIP file - the files have been written to disk (or even better, intercepted before being committed to disk) so should be checked automatically without user intervention.

Please also comment if you have write caching enabled on your drive (check in Computer Management/Device Manager/Disk Drive - properties - Policies tab).
I suspect that write caching may prevent some AV products of detecting infected files immediately, and has to check the data when it is committed to disk - leading to a delay in reporting and possibly erroneous reporting if the file has already been moved/deleted.

This is a purely on-access test - we are not relying on a manual or scheduled system scan or an attempt to work with an infected local file.

The ideal response is for the AV product to alert immediately and prevent the file being written to the disk, and for an event to be written to one of the system event logs.


Here is my result:

AV: AVG Free 7.0.344 w/virus base 267.10.24/101 (2005-09-13 20:45:00)

.COM save results:
Detected automatically YES/NO: YES
At point: ~6 minutes after the file was saved to the disk
Action: "Virus detected" message popped up, offering the actions; keep, info, heal, delete, move to vault

.ZIP save results:
Detected automatically YES/NO: NO (waited 7 minutes)
Detected when file was opened: NO
Detected when infected file was extracted to the disk: YES, after about ~20 seconds the copy in WinRAR's temporary folder was reported as infected - the copy which was already deleted
Manually detected when scanned: YES

Write caching is enabled on my hard disk.

There was no entry written to the Windows event logs (Application, Security or System) to indicate a virus had been detected.


I think I'll check out other AV solutions in light of this...

[Paul Adams]

AV: Computer Associates' eTrust 7.1.192 (InoculateIT engine 23.70.36)

.COM save results:
Detected automatically YES/NO: YES
At point: ~5 seconds after the file was saved to the disk
Action: Silently moved (configured action)

.ZIP save results:
Detected automatically YES/NO: NO
Detected when file was opened: YES
Action: Pop-up message informed the archive contained an infected file and had been removed.

Write caching is enabled on my hard disk.

There was no entry written to the Windows event logs (Application, Security or System) to indicate a virus had been detected.

[unrealrocks]

AV: Norton 7.5.6.14

.COM save results:
Detected automatically YES/NO: YES
At point: Before it'd even let Opera give the option to save to disk ~2secs after clicking the link.
Action: "Virus detected" message popped up, offering the actions; Delete

.ZIP save results:
Detected automatically YES/NO: NO (waited 7 minutes)
Detected when file was opened: NO
Detected when infected file was extracted to the disk: YES, after ~2secs.
Manually detected when scanned: N/A (didn't have a chance to manually scan before it caught it automatically.

[OmarSantiago]

Running Windows XP Pro SP2 fully patched and updated

AV: Sophos AV 3.97.0 (Build 0235)
Total Viruses 109858

.COM save results:
Detected automatically YES/NO:YES
At point: As soon as I selected the item for download
Action: Warning message:Virus:'EICAR-AV-Test' detected in C:\Documents and Settings\Santiago\Local Settings\Temporary Internet Files\Content.IE5\TQFX1EC2\eicar[1].com

Access to the infected file is denied

Email sent with this message and a copy made to Sophos' daily log. Sophos will automatically shred it on the next daily sweep

.ZIP save results:
Detected automatically YES/NO: NO
Detected when file was opened: NO
Detected when infected file was extracted to the disk: XP sees the file without 3rd party utilities and it didn't flag until I tried to execute the program when it followed the above routine.
Manually detected when scanned:YES

Write caching is enabled on my hard disk.

Windows Application log flagged each detection with the following message:

XP Virus: 'EICAR-AV-Test' detected in C:\DOCUME~1\Santiago\LOCALS~1\Temp\Temporary Directory 1 for eicar_com.zip\eicar.com
Access to the infected file is denied

/Edit: Ran this test on a cloned machine that has write-caching disabled by default: Sophos performed exactly the same.

[Moby-Dick]

McAfee Virusscan Enterprise 8
Scan Engine : 4400
Virus Definitions : 4579

.COM save results:
Detected automatically YES/NO: YES
At point: As soon as file was selected for download
Action: "Virus detected" message popped up , file Moved as Virusscan decided it wasn't cleanable.

.ZIP save results:
Detected automatically YES/NO: NO
Detected when file was opened: NO
Detected when infected file was extracted to the disk: YES, IMMEDIATLY

Manually detected when scanned: YES

Entries were added to the local event log and also elerts generated into E- Policy orchestrator.

EDIT #2: Gave my AV Admin a kick and told him to enable scannign within Archives. one EPO update later and VS8 picked Eicar up as soon as I attempted to download the zip.

[Wiczy]

NOD32 antivirus system information
Virus signature database version: 1.1216 (20050913)
Dated: 13 September 2005
Virus signature database build: 6101

Information on other scanner support parts
Advanced heuristics module version: 1.018 (20050805)
Advanced heuristics module build: 1088
Internet filter version: 1.002 (20040708)
Internet filter build: 1013
Archive support module version: 1.034 (20050902)
Archive support module build version: 1132

Information about installed components
NOD32 For Windows NT/2000/XP/2003 - Base
Version: 2.50.25
NOD32 For Windows NT/2000/XP/2003 - Internet support
Version: 2.50.25
NOD32 for Windows NT/2000/XP/2003 - Standard component
Version: 2.50.25

.COM results

Detected immediately on clicking to download - msg " The file contains a threat to your computer "

.ZIP results

Detected immediately on clicking to download - msg " The file contains a threat to your computer "

Write caching is enabled.

In both cases the files were not written to disk.

[sooty]

AVG Free Version 7.0.344

.COM save results:
Detected automatically YES/NO: YES
At point: As soon as file was selected for download
Action: "Virus detected" message popped up

.ZIP save results:
Detected automatically YES/NO: NO
Detected when file was opened: NO
Detected when infected file was extracted to the disk: YES, With choice to Delete or Heal
File Deleted


Manually detected when scanned: YES,Virus found EICAR_Test

[Moby-Dick]

NOD32 antivirus system information
Virus signature database version: 1.1216 (20050913)
Dated: 13 September 2005
Virus signature database build: 6101

Information on other scanner support parts
Advanced heuristics module version: 1.018 (20050805)
Advanced heuristics module build: 1088
Internet filter version: 1.002 (20040708)
Internet filter build: 1013
Archive support module version: 1.034 (20050902)
Archive support module build version: 1132

Information about installed components
NOD32 For Windows NT/2000/XP/2003 - Base
Version: 2.50.25
NOD32 For Windows NT/2000/XP/2003 - Internet support
Version: 2.50.25
NOD32 for Windows NT/2000/XP/2003 - Standard component
Version: 2.50.25

.COM results

Detected immediately on clicking to download - msg " The file contains a threat to your computer "

.ZIP results

Detected immediately on clicking to download - msg " The file contains a threat to your computer "

Write caching is enabled.

In both cases the files were not written to disk.

good score for NOD there

is it a free/ low cost AV product ?

[Paul Adams]

NOD32 2.5 Trial Version:

.COM save results:
Detected automatically YES/NO: YES
At point: Immediately on clicking the link, before the save/open dialog appeared in both IE and Firefox
Action in Firefox: "Virus detected" message popped up for temporary copy of the file, no options - dialog box from Firefox still appeared
Action in IE: "Virus detected" message popped up for temporary copy of the file with the options; Copy to Quarantine, Terminate

.ZIP save results:
Detected automatically YES/NO: YES (IE) and NO (Firefox)
At point: Immediately on clicking the link, before the save/open dialog appeared in IE
Action in Firefox: None, file saved to disk as normal
Action in IE: "Virus detected" message popped up for temporary copy of the file with the options; Copy to Quarantine, Terminate

(Also tested "eicarcom2.zip" in Firefox and IE with the same results - this is a test virus file inside a zip file which is inside another zip file, to test recursive virus scanning.)

There was no entry written to the Windows event logs (Application, Security or System) to indicate a virus had been detected.

Edit:
However, NOD32 does maintain its own logs of threats detected, #files scanned, etc. visible through its own interface.

[Moby-Dick]

you almost sound impressed there Paul

[Wiczy]

Low cost and absolutely superb imho. You don't know its there until you click the wrong link ;p

[Paul Adams]

you almost sound impressed there Paul

Hehe, yeah - a little concerned as to why NOD32 picks up the virus through one browser but not another though... and it's a shame neither AVG or NOD32 log anything in the Windows event logs.
Now if I could just figure out a way get a command-line update to work then I've got a new silent AV install for my unattended system build DVD

[Wiczy]

The 'zip in a zip' was detected in firefox with my version of NOD32

[Moby-Dick]

Hehe, yeah - a little concerned as to why NOD32 picks up the virus through one browser but not another though... and it's a shame neither AVG or NOD32 log anything in the Windows event logs.
Now if I could just figure out a way get a command-line update to work then I've got a new silent AV install for my unattended system build DVD

I'm sure the full version of AVG will either write an event or send an email.

[Paul Adams]

The 'zip in a zip' was detected in firefox with my version of NOD32

Not sure why it behaves differently on my machine... at first I thought the default action might be to blame (I had it set to always save ZIPs to disk), but restoring it to prompt for an action (and picking either open or save) doesn't make NOD32 pick up the virus in Firefox...

[Wiczy]

I have no idea...as you can see from the .JPG it was detected just fine over here.

Odd.