Last Updated: 2020-05-17 21:08:39 UTC
by Didier Stevens (Version: 1)
"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?".
I'm paraphrasing a question I've been asked a couple of times.
The answer depends on the sample file and the antivirus.
The EICAR file appears first:
The different antivirus programs I'm familiar with, will report just one detection: EICAR or mimikatz.
Here we can see that ClamAV detects EICAR, and not mimikatz. This is because of performance reasons, ClamAV will stop scanning a file after the first detection. However, ClamAV has an option to make it continue scanning after a match:
Using this option makes that ClamAV reports EICAR and mimikatz:
Do you know antivirus programs with a similar option? Please post a comment!