|
"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?". I'm paraphrasing a question I've been asked a couple of times. The answer depends on the sample file and the antivirus. To illustrate this question, I made a sample file: a ZIP file containing the EICAR antivirus test file and mimikatz.exe. The EICAR file appears first:
The different antivirus programs I'm familiar with, will report just one detection: EICAR or mimikatz. Like ClamAV:
Here we can see that ClamAV detects EICAR, and not mimikatz. This is because of performance reasons, ClamAV will stop scanning a file after the first detection. However, ClamAV has an option to make it continue scanning after a match:
Using this option makes that ClamAV reports EICAR and mimikatz:
Do you know antivirus programs with a similar option? Please post a comment!
Didier Stevens |
DidierStevens 597 Posts ISC Handler May 17th 2020 |
| Thread locked Subscribe |
May 17th 2020 1 year ago |
|
I have never seen this always the AV shows the two malicious files.
|
MESAYED 1 Posts |
| Quote |
May 18th 2020 1 year ago |
|
Hello.
What does VirusTotal say about your file? |
S3cN3tSys 3 Posts |
| Quote |
May 18th 2020 1 year ago |
|
Click on the first link in my diary entry and you'll see VT's analysis.
|
DidierStevens 597 Posts ISC Handler |
| Quote |
May 18th 2020 1 year ago |
|
Hi.. Now I'm interested.. Mainly free Avast (private user and trying to keep up where we "good guys" stand..
I'm just a single user (admin, 6 comps, including sandbox juat to pass time) But this was awakening for a while... I'll need to check my comps for a possible breach.. Alienvault OSSIM/SIEM employed, but need to restrict somethin.. Ty for sharing. |
Teemu 10 Posts |
| Quote |
May 18th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
