[Avcheck] Eicar detection by different antivirus software

Michael Tokarev mjt@tls.msk.ru
Mon, 14 Jan 2002 17:34:21 +0300


adi wrote:
> 
> On Sun, Jan 13, 2002 at 11:43:08PM +0300, Michael Tokarev wrote:
> > But this is not all.  I just checked "I-Worm.MTX" (avp) aka
> > "Win95.Matrix.9216" (drweb) virus.  Avp happily detects this
> > virus if encoded with *any* content type, including text/plain.
> 
> This not the case if using content-type: text/plain *and*
> content-disposition: inline (not base64).
> 
> Well, seems that AVP trust message header more than DrWeb.
> According to you, Michael, which one would 'perform' better? :-)

This depends on how you look into this.  An antivirus should do
a work to prevent any harmful antivirus actions.  If, according
to a structure, a message can't do any bad things, why block it?
Well, someone can edit a message like the one blocked from RaBL
yesterday, mime-decode it, save a virus to a file and run that
file.  But this requires some real knowlege, and I doubt any this
knowlegeable person will perform the above steps -- he isn't that
stupid, at the end! ;)  This is about "trusting headers": current
antivirus software based on *known* virus signatures, and if some
virus can't be harmful if "surrounded" by particular mime headers
or encoded using particular encoding scheme, it's ok to ignore it.

Concerning another aspect of an "issue", where drweb detects "nested
message" inside plaintext email -- first of all, the above statement
applies here as well.  There is no *need* to block such messages,
and we have an example when this can be unhelpful.  But this again
depends on how you look into this.  If you want *no* viruses in *any*
possible form, that should be fine.  And most sites will not want
any viruses anyway, only virus-discussion forums etc like this one
may "want viruses", but there are other ways to exchange viruses for
this purpose exists.

For this "issue", I personally like avp's behaviour more than drweb's.
But mind you, *I* will NOT suffer from a mail virus, unlike most of
my collegues around me who does another tasks and for whom our mailserver
runs an antivirus! ;)

At the end, this question is so minor -- it covers only very limited
cases when viruses may be *wanted*, and how easy should be exchange of
them... ;)

Regards,
 Michael.