Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • BurnAware 18.7 by Razvan Serea Free burning software to create CDs, DVDs, and Blu-ray discs of all types. BurnAware is a full-fledged, easy-to-use burning software which allows users to write all types of files such as digital photos, archives, documents, music and videos to CDs, DVDs and Blu-ray Discs, including BDXL and M-Disc. With BurnAware, you also be able to create boot or multisession discs, high-quality Audio CDs and Video DVDs, make and burn ISO images, copy and backup discs, extract audio tracks, verify and recover data from multisession or unreadable discs. BurnAware is available in three editions - Free, Premium and Professional. Compare and pick edition which is suitable for you. Features Burn files and folders to CD, DVD or Blu-ray Discs. Append or update multisession discs. Burn standard or boot disc images. Burn ISO files to multiple recorders simultaneously. Create boot CDs or DVDs. Create Audio CDs. Create DVD-Video discs. Create MP3 CD / DVD / Blu-ray Discs. Make standard or boot disc images. Copy CD, DVD or Blu-ray Discs to ISO images. Copy from discs to discs. Verify discs byte by byte. Recover files from damaged discs or different sessions. Extract audio tracks from Audio CDs. Erase and format re-writable discs. View detailed disc and drive information. Supports All media types (CD/DVD/Blu-ray Disc) including Double Layer All current hardware interfaces (IDE/SCSI/USB/1394/SATA) including AHCI UDF/ISO9660/Joliet file systems (any combination) On-the-fly writing (no staging to hard drive first) Verification of written files Multisession DVD-RW/DVD+RW Unicode CD-Text (tracks and disc) Compatible with Windows Vista 7, 8, 10, 11 (32-bit or 64-bit) BurnAware 18.7 changelog: Updated translations. Updated disc burning SDK. Improved indirect disc copying (CD <-> DVD). Optimized overall performance on 64-bit systems. Download: BurnAware Free 18.7 | 11.8 MB (Freeware) View: BurnAware Free Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Yeah, as a general rule I prefer standard XBox-like controllers that work like usual out-of-the-box. additional software tends to be overkill. p.s. even my 8BitDo Ultimate 2C wired, while I had to tweak something (setup a udev rule) on Linux for it to work 'out-of-the-box' (which is required for Xinput mode to work in kernels prior to 6.12), I can slightly tweak a small amount of additional buttons/features on the controller itself, no software needed.
    • Are you saying that you don’t think they will be adding the “.” versioning? They definitely will.
    • What will you find out about me?? Are you not going to answer this question as well? Empty threats for just asking questions😂
    • My Alexa Show is just a glorified Alarm clock and weather reporter.
  • Recent Achievements

    • Apprentice
      Adrian Williams went up a rank
      Apprentice
    • Reacting Well
      BashOrgRu earned a badge
      Reacting Well
    • Collaborator
      CHUNWEI earned a badge
      Collaborator
    • Apprentice
      Cole Multipass went up a rank
      Apprentice
    • Posting Machine
      David Uzondu earned a badge
      Posting Machine
  • Popular Contributors

    1. 1
      +primortal
      535
    2. 2
      ATLien_0
      265
    3. 3
      +Edouard
      193
    4. 4
      +FloatingFatMan
      183
    5. 5
      snowy owl
      135
  • Tell a friend

    Love Neowin? Tell a friend!