Analyzing the EICAR-GTUBE_Generator using a common multi-anti-virus platform like VirusTotal seems no AVs recognaize the EICAR-GTUBE-Generator as a EICAR generator (so in some way a malware generator): here the proof (click to enlarge)
Now, my question is: Do the AVs truly analyze the EICAR signature or do they apply a simple pattern matching ?
On the other hand, analyzing the resulted file EICAR.com there is more fun:
First of all Prevx.com does not recognize the EICAR file. That’s very interesting,to me. They claim to be:
“PC and Internet Security powered by the World’s largest real time threat database…”
But they don’t recognize one of the most famous string in AV’s society. So guys, are you sure to have the world’s largest DB ? Maybe you need a little of “back to easy stuff” policy ?
Anyway, the second interesting thing is on Microsoft AV which recognize EICAR but as a VIrus ( in fact at the beginning there is the label Virus:). That is technically wrong. All the other Tested AVs did a good job labeling EICAR as warning and testing file. Why does Microsoft recognize EICAR as virus and not as a standard testing file ? Maybe is this just the pic of a wrong pattern recognition’s iceberg, present in Microsoft AV ? I’ll check out soon !