[Avcheck] Eicar detection by different antivirus software
Michael Tokarev
mjt@tls.msk.ru
Mon, 14 Jan 2002 00:00:33 +0300
[]
> ftp://ftp.corpit.ru/home/mjt/drweb-false-alarm
This simple one also triggers the same drweb's false alarm.
Remove > character from eicar body for testing.
--cut--
From: Michael Tokarev <mjt@corpit.ru>
To: Virus Test <mjt@corpit.ru>
Subject: Eicar test file (antivirus should detect it)
MIME-Version: 1.0
Content-Type: text/plain
Date: Mon, 6 Aug 2001 16:09:34 +0400 (MSD)
A test message:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=eicar-boundary
Date: Mon, 6 Aug 2001 16:09:34 +0400 (MSD)
This is a multi-part message in MIME format.
--eicar-boundary
Content-Type: application/octet-stream
Content-Disposition: attachtment; filename="eicar.com"
Content-Description: EICAR test file
Content-Transfer-Encoding: 7bit
>X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
--eicar-boundary--
--cut--
It seems drweb tries to process a mailbox-like file instead of
single email message here, but proper message boundary detection
is missing. Note also that original message that triggered this
thread (the url above) really *looks* like two parts of mailbox --
note the lines:
--cut--
Msg. source:
-----------------------------
>From - Sun Jan 13 19:37:18 2002
X-UIDL: 1010951201.4975_0.underworld.blansko.cz
X-Mozilla-Status: 0001
--cut--
That "<nl><nl>From<space>" sequence.
Well, looking to all this, I can't say this is a real bug in drweb --
may be it is a feature, to be able to scan /var/spool/mail/user's
mailboxes (avp can't do this). But certainly NOT for such drweb usage
(scanning separate email messages).
Regards,
Michael.