[Avcheck] Eicar detection by different antivirus software

[Michael Tokarev]

[]
>  ftp://ftp.corpit.ru/home/mjt/drweb-false-alarm

This simple one also triggers the same drweb's false alarm.
Remove > character from eicar body for testing.

--cut--
From: Michael Tokarev <mjt@corpit.ru>
To: Virus Test <mjt@corpit.ru>
Subject: Eicar test file (antivirus should detect it)
MIME-Version: 1.0
Content-Type: text/plain
Date: Mon,  6 Aug 2001 16:09:34 +0400 (MSD)

A test message:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=eicar-boundary
Date: Mon,  6 Aug 2001 16:09:34 +0400 (MSD)

This is a multi-part message in MIME format.

--eicar-boundary
Content-Type: application/octet-stream
Content-Disposition: attachtment; filename="eicar.com"
Content-Description: EICAR test file
Content-Transfer-Encoding: 7bit

>X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

--eicar-boundary--
--cut--

It seems drweb tries to process a mailbox-like file instead of
single email message here, but proper message boundary detection
is missing.  Note also that original message that triggered this
thread (the url above) really *looks* like two parts of mailbox --
note the lines:

--cut--
Msg. source:
-----------------------------

>From - Sun Jan 13 19:37:18 2002
X-UIDL: 1010951201.4975_0.underworld.blansko.cz
X-Mozilla-Status: 0001
--cut--

That "<nl><nl>From<space>" sequence.

Well, looking to all this, I can't say this is a real bug in drweb --
may be it is a feature, to be able to scan /var/spool/mail/user's
mailboxes (avp can't do this).  But certainly NOT for such drweb usage
(scanning separate email messages).

Regards,
 Michael.