[Avcheck] Eicar detection by different antivirus software

Sergey Akhapkin Sergey Akhapkin <asv@drweb.ru>
Mon, 14 Jan 2002 14:26:26 +0300


Hello Michael,

Sunday, January 13, 2002, 11:43:08 PM, you wrote:

[skip]

MT> Sergey, Vladislav, can you look into this?  I placed a complete copy
MT> of rejected message at
MT>  ftp://ftp.corpit.ru/home/mjt/drweb-false-alarm
MT> That was original message from RaBL that was rejected by drweb.  This is
MT> certainly a bug in drweb, but I was unable to reproduce it with other
MT> structure -- there should be something specific.  E.g. If I prepend standard
MT> email headers to eicar.msg file as distributed with avcheck, drweb will
MT> not detect eicar in it, and this is correct.

Ok. I'm try to explain such behaviour of our product. Our customers
wait from our antivirus a good detection of viruses. They don't know
(and don't want to know) about correct MIME header and about MIME :) -
they just a users of PC.
Two messages (that I'll show below) contains a viruses in MIME
structures with Content-Type = text/plain, but customers wants to be
able to detect it even in such cases. Some mail readers very
"intelligent" and try to run (shows) all that it's see. And we try to
detect all viruses, we shouldn't think - "Are mail-readers would be
correct and don't run this or not ?"

Now I want to show two messages (with viruses):

------------------------ mail.enc -----------------------------
From: Sergey Akhapkin <root@asv.internal.drweb.ru>
To: CVS <cvser@asv.internal.drweb.ru>
Subject: [MAIL] Base64-trial
X-Mailer: The Bat! (v1.53bis) Business
X-Priority: 3 (Normal)
Message-ID: <1058130354.20011004235131@drweb.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: base64

8NLJ18XU09TX1cAsIFNlcmdleSENCg0KPGh0bWw+IDxDeWJlclNoYWRvdy4uLj4NCjxCT0RZIG9u
[skip virus body]
------------------------ mail.enc -----------------------------

------------------------ ascon.msg ----------------------------
Date: Mon, 3 Dec 2001 14:18:36 +0300
From: Some@domain
X-Mailer: The Bat! (v1.53d)
X-Priority: 2 (High)
Message-ID: <130490214531.20011203141836@ascon.ru>
To: asv@drweb.ru
Subject: VIRUS!!!!   (Fwd: Fwd: Fwd: Fwd: Fwd: Test)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------8315720C2C93A00A"

------------8315720C2C93A00A
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit

This is a forwarded message
From: Some@domain

[skip many forwards]

===8<==============Original message text===============
Return-Path: <xxx@yyy.zzz>

[skip a lot of Received:]

Message-ID: <3C028751.2FDA7003@jb8399.spb.edu>
Date: Mon, 26 Nov 2001 21:17:53 +0300
From: xxx@yyy.zzz
X-Mailer: Mozilla 4.51 [ru] (Win98; I)
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: Some@domain
Subject: Test
Content-Type: multipart/mixed;
 boundary="------------F64A7AF8A25434D85F22F015"
Status:   

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
   name="HUMOR.MP3.scr"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
Content-Transfer-Encoding: base64

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[skip virus body]
------------------------ ascon.msg ----------------------------

First message contains just legaly encoded script virus, the second
message contains attachment with mail, that contain text attachment (with
MIME-encoded virus), that can be saved to disk (as text file) and virus
can be extracted by UUE tools.

Now I want to show logs from DrWeb daemon:

------------------------ daemon.log ---------------------------
Dr.Web daemon for Linux, version 4.26 (September 25, 2001)
Mon Jan 14 13:42:12 2002 Key file: /opt/drweb/USR00007.KEY
Mon Jan 14 13:42:12 2002 Registration info:
Mon Jan 14 13:42:12 2002 0000000007
Mon Jan 14 13:42:12 2002 Sergey Akhapkin
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drwtoday.vdb - Ok, virus records: 21
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42612.vdb - Ok, virus records: 40
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42611.vdb - Ok, virus records: 87
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42610.vdb - Ok, virus records: 60
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42609.vdb - Ok, virus records: 325
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42608.vdb - Ok, virus records: 135
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42607.vdb - Ok, virus records: 100
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42606.vdb - Ok, virus records: 315
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42605.vdb - Ok, virus records: 103
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42604.vdb - Ok, virus records: 55
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42603.vdb - Ok, virus records: 50
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42602.vdb - Ok, virus records: 40
Mon Jan 14 13:42:12 2002 Loading /opt/drweb/drw42601.vdb - Ok, virus records: 59
Mon Jan 14 13:42:13 2002 Loading /opt/drweb/drwebase.vdb - Ok, virus records: 26390
Mon Jan 14 13:42:13 2002 Daemon is installed, TCP socket created on port 3000
Mon Jan 14 13:44:01 2002 test/smtp/mail.enc - archive MAIL
Mon Jan 14 13:44:01 2002 >test/smtp/mail.enc/MAIL infected with VBS.Cybers
Mon Jan 14 13:44:52 2002 test/smtp/ascon.msg - archive MAIL
Mon Jan 14 13:44:52 2002 >test/smtp/ascon.msg/Kryoth.m64 - Ok
Mon Jan 14 13:47:29 2002 Shutting down daemon (signal 15 received)...
Dr.Web daemon for Linux, version 4.27 (December 28, 2001)
Mon Jan 14 13:48:05 2002 Key file: /opt/drweb/USR00007.KEY
Mon Jan 14 13:48:05 2002 Registration info:
Mon Jan 14 13:48:05 2002 0000000007
Mon Jan 14 13:48:05 2002 Sergey Akhapkin
Mon Jan 14 13:48:05 2002 Loading /opt/drweb/drwebase.vdb - Ok, virus records: 27860
Mon Jan 14 13:48:05 2002 Daemon is installed, TCP socket created on port 3000
Mon Jan 14 13:48:29 2002 test/smtp/ascon.msg - archive MAIL
Mon Jan 14 13:48:29 2002 >test/smtp/ascon.msg/Kryoth.m64 - archive MAIL
Mon Jan 14 13:48:29 2002 >>test/smtp/ascon.msg/Kryoth.m64/HUMOR.MP3.scr infected with Win32.HLLW.Badtrans
------------------------ daemon.log ---------------------------

As you can see in previous version we dont detect (correctly from view
mail standards) virus in second message, but our customers asks us for it.

1) Should we detect viruses in such cases ?

The answer for this question is differs from view points:
- from mail standard - NO,
- from our customers view - YES.

2) Is it bad that we try to detect all possible viruses transports ?

I think no - it's good, very good. For special cases then one man
(professional) want to send virus to other professional he will to make
password protected archive - all antivirus software wouldn`t to be
able to detect such virus.

-- 
Best regards,
 Sergey                            mailto:asv@drweb.ru