Hi folks, today I wanna show these two easy experiments made by using the new version of “Quick’n Dirty” EICAR-GTUBE-Generator0.1. I know that EICAR file it’s only a test file and it is not supposed to be recognized inside other files, BUT for some reasons some AVs do that. Analyzing this file we can analyze the AV’s detection chain (as already explained in some past posts ) and maybe find some incompleteness.
Exp 1. Hiding EICAR file in the JPG header

Most AVs (but not all … ) detect EICAR file even if embedded into the JPG header. Some main AV companies like AVAST, McAfee and Microsoft dont (why they cannot detect it ?).
2) Hiding EICAR file in the JPG tail:

Surprisingly only two AV companies detect it. My best compliments to Authentium and F-Port. So why Authentium and F-Port can detect EICAR even if hidden in the JPG’tail and other AV companies cannot ? What’s the difference between their detection chain ?
I’ll ask directly to these people during this week, I’ll be back with some answers … hopefully.

Published by marcoramilli

Ethical Hacking, Advanced Targeted Attack Expert and Malware Evasion Expert

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.