Make:

I can't seem to sneak it past kaspersky at all, not even in .txt ;)

Reply to this comment

nice try to advertise antivirus... and nice try to show us that u r stupid enough to not understand how ANY antivirus works... or u r thinking we r stupid? It was very funny when u used sygwin (just wrapper on win API).
lol

Reply to this comment

eh way to much visual + audio feedback with avast.

A VIRUS HAS BEEN DETECTED, WHOOP WHOOP WHOOP.

:P

Reply to this comment

J0ker, the point of using Cygwin was to show that there's an interesting difference between the way that Cygwin's mv and Windows's ren are implemented. They are different enough that the Avast! software did not notice the .com file being created by mv (as it did with ren).

Reply to this comment

BOOL MoveFileEx(
LPCTSTR lpExistingFileName,
LPCTSTR lpNewFileName,
DWORD dwFlags
);

dwFlags

MOVEFILE_COPY_ALLOWED If the file is to be moved to a different volume, the function simulates the move by using the CopyFile and DeleteFile functions.

So some antiviruses may or may not detect creation or/and renaming of files to the system detectable executional extension. Actually using windows API u can execute ANY byte sequence. But it actually doesn't matter - any antivirus MUST intercept creation of any process and check it for viruses, so it's impossible to run infected file anyway.

Reply to this comment

Thanks for the background on that, J0ker. What you said confirms my belief that the system is safe even though the infected file exists on the filesystem (and it's definitely going to get caught on the next full scan). Still, I would rather that Avast had caught it on the move (weirdguy mentioned in the first comment that he couldn't get it past Kaspersky).

That said, I didn't set out to point out flaws in the antivirus software I was testing; one of our readers wrote in and wanted to know how to infect a computer so his students could learn how to disinfect it.

Reply to this comment

No flaws have really been pointed out. You just have some data sitting in storage that happens to be malicious (or in this case, a harmles eicar file that does nothing). Code can only be malicious when it is being executed somehow, natively or by interpretation or whatever.

You faked us out. This video didn't show you how to purposefully infect a computer with anything. It showed how to test if your AV software was active and catching things as they run. Nothing was ever infected. Even if you turned off the AV software, nothing was in danger of infection, because eicar is not really a virus.

You haven't shown anyone how to "disinfect" anything. You've shown how to take an already protected system, and see if the system THINKS it is protected (Lets face it, it's possible for a virus to fake it's own eicar warning, but it would be a lot of work). Actually disinfecting a machine would consist of some way of shutting it down, scanning and removing the actual virus, which in this case, there wasn't one.

Reply to this comment

acidrain69, you are right! The whole point of this was to show how to use EICAR to plant a harmless bit of text that will be recognized as malware so that the reader's students can have the experience of removing it from their computer. There is nothing more to it than that.

Everything shown in the video demonstrated how an active antivirus system would react to EICAR. To make his actual exercise effective, the reader who requested this information would need to go further, and do exactly what you suggest. He'd disable his antivirus before planting this string in a variety of places: as a .txt file on the system, in a .com file, embedded in the middle of a .dll, and so forth, and then shut the system down, scan, and remove.

Reply to this comment