[Avcheck] Eicar detection by different antivirus software
adi
adi@acme.com
Mon, 14 Jan 2002 08:25:50 +0700 (JAVT)
On Sun, Jan 13, 2002 at 11:43:08PM +0300, Michael Tokarev wrote:
> But this is not all. I just checked "I-Worm.MTX" (avp) aka
> "Win95.Matrix.9216" (drweb) virus. Avp happily detects this
> virus if encoded with *any* content type, including text/plain.
May I have this virus 'sample', Michael? I'm not a postmaster,
I'm not a virus admin, and I'm an happy mutt users, see? :-)
> So I can't say that avp skips any text/plain attachments for
> whatether reason (e.g. to speedup process). So, granted,
> any virus that will target text/plain + .exe exploit will be
> detected by avp (having recent virusbases).
>
> For drweb, the case is different. It will detect eicar regardless
> of MIME type, including text/plain. It correctly will not detect
> it if I'll place some additional characters before that eicar body,
> leaving intact all other MIME structure, ....
Can I say that DrWeb would insist to scan even it's text/plain,
if there is Content-Transfer-Encoding: header.
I just though that there are kind of 'interaction' between
extension name (txt.exe, txt.pif blah), and the mime header
to some extent. Dunno which one would be the better (AVP/DrWeb).
Regards,
P.Y. Adi Prasaja