eicar‘s test file history · pdf fileeicar‘s test file history ... roger riordan,...
TRANSCRIPT
Consumer Automotive
Technology Retail Life Sciences & Healthcare
Energy & Chemicals
EICAR‘s TEST FILE HISTORY
Eddy Willems
EICAR Board Member
Security Evangelist – G DATA Software AG
The 2 most common questions asked:
1. Don’t the anti-virus companies write all the viruses?
2. Will you give me some viruses to test my AV with?
EICAR HISTORY
1990: Inaugural meeting of international experts initiated by Dr. Alan Solomon
1991: 27 September Cultural Centre of Auderghem in Brussels, Belgium EICAR was founded (amongst those present were Vesselin Bontchev, Frans Veldmann, Tjark Auerbach, Roger Riordan, Paul Ducklin, Alan Solomon, Christoph Fischer etc...and me)
First constitution was put together (also a code of ‘good’ conduct)
CARO (Computer Anti-Virus Research Organisation): informal group of AV experts preceded EICAR (more formal) founded by a similar set of people
Historic joint project in the early nineties: creation of the EICAR test file by CARO members and published by EICAR
WHAT IS THE EICAR TEST FILE?
Something you should know if you are coming to this conference ...
First of all .. it is not a virus
It’s a tool designed to determine if an antivirus product is installed properly. This is a small .COM file used to test the “effectiveness” and operability of on-access and/or on-demand scanning of an antivirus product.
This tool is an industry recognized testing file.
Gives a feeling of safety: without the worry of testing your package with real viruses, which could give problems in a production environment ...
WHERE TO FIND IT?
On the EICAR website : www.eicar.org
Included with AV products in the readme files or
documentation
On other anti-virus related websites
The purpose of the EICAR test file
according to the original creators:
• Indicate whether AV is installed ‘correctly’
• Show what happens when the AV finds a virus
• Indicate which messages are displayed or logged
• Show how it handles ‘custom warnings’ and notifications
to the system admin over the network
EVOLUTION: THE DEFINITION IN SHORT
The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE").
It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the test file should detect it in any file providing that the file starts with the following 68 characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
To keep things simple, the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter "O", not the digit zero.
EVOLUTION: PROBLEM1- A VIRUS NAMED BAT/BWG.A@MM
Internet worm (not actually In The Wild)
Generated by construction kit Batch Worm Generator
The most interesting thing about this virus is that it is an attack on the EICAR test file. Bat/Bwg.a@MM starts with the EICAR string, which when the worm is run, generates a "File not found" error but the execution goes on. Many AV products misdetected this virus as EICAR test file when it first appeared .
EVOLUTION: PROBLEM 2 - DISCUSSIONS ON VARIOUS FORUMS
This event created a lot of debate in various anti-virus
forums
Proposals were even made to change the file completely
Most AV vendors made their own changes to ensure they
detected the EICAR test file properly ... But was an
uncoordinated response enough?
EVOLUTION: THE NEW DEFINITION
The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE").
It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the test file should detect it in any file providing that the file starts with the following 68 characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z.
To keep things simple ...
It was released at the beginning of the year 2003 and published on the site May 1 2003
SUMMARY CUM LAUDE
Close to eradicating risk of EICAR false negatives altogether
Can’t prevent inappropriate use in ways that were never
intended => misreading or ignoring formal specification!
+++
And 2 years later Microsoft asked that they could include the
EICAR test file within their anti-spyware product at that time!
=> So it became an anti-malware test file
FUN PART 1 DOREN ROSENTHAL UTILITIES
Based on a false premise: detection of real virus = detection
of a simulation
Registered version included a real virus!
AV industry forced to add detection of a non-virus because
some testers using this for detection testing....
FUN PART 2A SPYCAR
See http://www.spycar.org
Intended to test anti-spyware programs by observing their
response to certain behaviours using not malicious tools
They illustrate clearly the difference between an installation
check file like EICAR and an attempt to create a different
kind of tool for evaluating products
In practice: Limited use because vendors can and do write
detections based on behaviour as well as static signatures
FUN PART 2B CLOUDCAR
Intended to test anti-malware programs in-the-cloud
detection
Not a standard
Nobody knows about it …
FUN PART 3 POSTINGS TO ALT.COMP.VIRUS, BUGTRAQ, ETC
The poster (using the handle “keepitsecret”) went on to suggest that
“using ESATF ["EICAR Standard Antivirus Test File"] is a cool and legal
way to learn how AVs do their job
Zipped the file, changed some characters ... Results: EICAR_Test ( modified ).
N/D. [the poster’s shorthand for Not Detected or a similar message]
N/D.
EICAR_Test_File.unknown?
N/D.
N/D.
EICAR-AV-TEST-FILE.
N/D.
N/D.
“Only three AVs are aware of the alteration! Are others using the original ESATF
string as signature? If so, it's not very clever (should they learn about wildcard
string? For the "fun", they could have search for the EICAR? pattern!)...
(Suggests: add NOP, JMP instructions, etc .... Even worse)
He was clearly unaware of the strict specification of the EICAR test file
FUN PART 4 OBSCURITY AND THE CITY OF LIGHT
Final presentation at EICAR 2010 (Paris)
Based on one of the PWN2KILL contest attacks
EICAR file not detected by on-demand scan ... When :
When its bytes are changed
When split into two parts
When the EICAR string is incorporated into data
When cryptographic or polymorphic techniques are used
When characters are added to the file.
What the AV industry would have expected of course ...
FUN PART 5 AMTSO STUFF (PART 1)
Feature Setting Check For Desktops
Test if my protection against the manual download of malware
(EICAR.COM) is enabled
Test if my protection against a drive-by download (EICAR.COM) is
enabled
Test if my protection against the download of a Potentially Unwanted
Application (PUA) is enabled
Test if protection against accessing a Phishing Page is enabled
Test if my cloud protection is enabled
FUN PART 5 AMTSO STUFF (PART 2)
Feature Setting Check For Android
Test if my protection against the manual download of malware is
enabled
Test if my protection against a drive-by download is enabled
Test if my protection against the download of a Potentially Unwanted
Application (PUA) is enabled
Test if protection against accessing a Phishing Page is enabled
Conclusion
• EICAR test file is intended as an installation check, not for detection
testing
• Doesn’t prove that product is correctly installed and configured
• It’s detected even on platforms where it can’t execute natively (eg.
Mac OS)
• Tight specification : modification = invalidate the test
• You can use it for testing characteristics/issues related to detection,
but generally inappropriate in a comparative test
• Scanners can behave differently when detecting the EICAR test file
and when detecting real malware
And also…
• How your software is or could be deployed locally (and to a lesser
extent, configured)
• Monitoring or demonstrating incident-handling procedures in the
context of corporate security
As a tool for comparative evaluation, the limitations imposed by its
formal definition, however, we see little use for it in its present form.
• That doesn’t mean that there are maybe other ways to create tools
for product evaluation but this possibility is not handled in this
presentation.