Hacker News new | comments | ask | show | jobs | submit login

One fun (and very interesting) string is EICAR[0]. I worked for an antivirus company once and we had the EICAR string for testing but couldn't check it into source control because it triggered the AV software which we dogfooded...

Is it naughty to include it here?


[0] https://en.wikipedia.org/wiki/EICAR_test_file

I've submitted a PR [0] that also includes Spamassassin's GTUBE [1] which is designed to do a similar thing.

[0] https://github.com/minimaxir/big-list-of-naughty-strings/pul... [1] http://spamassassin.apache.org/gtube/

Aw, Sophos on OS X doesn't think it's a threat.

Without giving too much away, I was sufficiently surprised by that that I downloaded the Sophos for Mac Home Edition. It does recognise it.

Here's what I get: http://i.imgur.com/JQzVsQf.png

This was picked up by the on-access scanner and a manual scan. The Web Protection doesn't complain about the text in a page (rightly or wrongly).

Are you using a centrally managed version (i.e. not Home Edition)?

Interestingly, I found what caused the false-negative. If I used Vim to create the file, it was picked up. If I "echo ...EICAR > text.txt" it doesn't get picked up, at least not immediately!

The on-access scanner intercepts requests to open files, and scans them. Echo just writes to the file and closes it. It doesn't try to open it again once the EICAR string is in there. I'm speculating here, but Vim probably writes the file/buffer, flushes, and then tries to obtain a file handle to it. At that point an on-access scan will occur, and it will find the EICAR string.

A scheduled scan would pick this up eventually.

Fun times indeed. Windows defender picks up a test.txt with those contents as malicious (and closes the file handle causing Notepad to misbehave) but if you add a space between EI and CAR it doesn't see anything.

Edit: Seriously, Microsoft?

Category: Virus

Description: This program is dangerous and replicates by infecting other files.

Recommended action: Remove this software immediately.

Items: file:C:\Users\Adam\Desktop\test.txt

Microsoft is doing the right thing. The whole point of that string is to trigger such behaviour. It's so you can use it to test that your antivirus is working.

Should it really tell the user that it's a dangerous file? Although if it didn't, malicious files could use that to their advantage.

Yes. Otherwise the only way to verify an anti malware system is working is with something actually malicious. So, you know, that's a bad plan. Think of system administrators deploying and validating a security package.

From the same Wikipedia article:

>Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact