[Avcheck] Eicar detection by different antivirus software
Michael Tokarev
mjt@tls.msk.ru
Mon, 14 Jan 2002 17:48:59 +0300
Ralf Hildebrandt wrote:
>
> On Mon, Jan 14, 2002 at 05:34:21PM +0300, Michael Tokarev wrote:
>
> > a work to prevent any harmful antivirus actions. If, according
> > to a structure, a message can't do any bad things, why block it?
>
> Becaue the bloody Outlook crap might see things (structures)
> differently and thus MAY execute the virus anyway!
As I pointed out earlier, avp detects some real viruses regardless
of content-type and other such environment -- for example, it happily
detects "I-Worm.MTX" virus if encoded/attached in ANY form with ANY
headers (but with correct mime structure, so it is possible from e.g.
outlook to actually do something with a virus except of saving in as
a part of some e.g. text to disk). (Do you want to check this for all
known viruses? ;) I.e. Avp "misses" eicar as text/plain, but not
(some) other real viruses. This is one point.
Another point is that -- if there will be new virus that can do harm
when encoded as text/plain, I'm shure avp will update their virusbases
accordingly. Not shure for anover variant -- if there will be a new
version of outlook that will start to execute text/plain attachments
that was safe previously (well, in this case new avp virusbases should
detect such outlook when run on client and cure it by removing it from
machine completely... ;)
Regards,
Michael.