Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Ea and Ubisoft's already have a 3rd party client mode where it removes the store features from the client and only uses 60mb of ram rather than 700.... I use playnite for gog and epic games because the the third party legendary client etc Combined in playnite epic and gog only use 200mb/ram while also showing my entire library from every other platform...
    • Also, this domain thing only works with Pro version of Windows, not the home version
    • More useless bloat to kill your pc by accident
    • Windows 11 gets more customization, a Recall home page, and more in new builds by Taras Buria Microsoft kicks off this Monday with a duo of nearly identical builds for Windows Insiders in the Dev and Beta Channels. Build 26200.5661 (Dev) and 26120.4452 (Beta) are now available for download with two big changes: a new home page for Recall and the recently spotted ability to customize where system indicators appear on the screen. The new Recall home page features more personalized content to help you get back to recent activities. It displays your latest snapshots and a curated view of the top three applications and websites you have spent the most time on in the past 24 hours. Here is what it looks like: In addition, Recall received a new nav bar on the left side of the screen with quick links to Home, Timeline, Feedback, and Settings. The next big addition is the ability to change where system indicators (brightness, volume, and more) appear on the screen. Now, you can set these at the top-left corner or top-center. To adjust this, go to Settings > System > Notifications > Position of the onscreen pop-up. Here are other changes included in today's builds: [Start menu] We are adding a Boolean to the Configure Start Pins policy to allow admins to apply Start menu pins once. This means that a user will receive admin pins on day 0 but can then make any changes to their Start pinned layout and have those safeguarded. These changes can be optionally applied through the existing configuration service provider (CSP). [File Explorer] We are restarting the roll out of AI actions in File Explorer that began rolling out with Build 26120.4151. Some Insiders may have seen the feature disappear. [Settings] In the most recently flights, we have added the country or region selected during device setup under Settings > Time & language > Language & region. Here is what was fixed: [General] Fixed the issue causing the Windows Vista boot sound to play instead of the Windows 11 boot sound. Fixed an issue where the option to reset your PC under Settings > System > Recovery wasn’t working on the previous build. Fixed an underlying issue leading to certain KVM virtual machines unexpectedly failing to boot, showing “UNSUPPORTED_PROCESSOR”. The Dev build has an extra fix: Fixed the issue causing a small number of Insiders to experience repeated bugchecks with KERNEL_SECURITY_CHECK_FAILURE after upgrading to most current Dev Channel builds. Known issues include the following: [General] [IMPORTANT NOTE] When joining the Beta Channel on Windows 11, version 24H2 – you will be offered Build 26120.4250 After installing Build 26120.4250, you will be offered the most recent update available. This 2-hop experience to get onto the latest flight in the Beta Channel is just temporary. After you do a PC reset under Settings > System > Recovery, your build version may incorrectly show as Build 26100 instead of Build 26120. This will not prevent you from getting future Beta Channel updates, which will resolve this issue. Some Windows Insiders may experience a rollback trying to install this update with a 0x80070005 in Windows Update. We’re working on a fix for Windows Insiders impacted. [Start menu] The following are known issues for Windows Insiders with the new Start menu: Using touch to navigate the new Start menu may not work reliably. For example, it currently does not support the swipe-up gesture. Drag and drop capabilities are limited from “All” to “Pinned.” In some cases, duplicate entries may appear in folders on the Start menu. [Xbox Controllers] Some Insiders are experiencing an issue where using their Xbox Controller via Bluetooth is causing their PC to bugcheck. Here is how to resolve the issue. Open Device Manager by searching for it via the search box on your taskbar. Once Device Manager is open, click on “View” and then “Devices by Driver”. Find the driver named “oemXXX.inf (XboxGameControllerDriver.inf)” where the “XXX” will be a specific number on your PC. Right-click on that driver and click “Uninstall”. [Click to Do (Preview)] The following known issues will be fixed in future updates to Windows Insiders: Windows Insiders on AMD or Intel™-powered Copilot+ PCs may experience long wait times on the first attempt to perform intelligent text actions in Click to Do after a new build or model update. [File Explorer] The following are known issues for AI actions in File Explorer: Narrator scan mode may not work properly in the action result canvas window for the Summarize AI action for Microsoft 365 files when reading bulleted lists. As a workaround, you can use Caps + Right key to navigate. [Widgets] Until we complete support for pinning in the new widgets board experience, pinning reverts you back to the previous experience You can find the announcement for the Dev build here and for the Beta build here.
  • Recent Achievements

    • One Month Later
      adnan.hebibovic earned a badge
      One Month Later
    • Week One Done
      adnan.hebibovic earned a badge
      Week One Done
    • Dedicated
      tesla maxwell earned a badge
      Dedicated
    • Dedicated
      Camlann earned a badge
      Dedicated
    • Week One Done
      fredss earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      629
    2. 2
      Michael Scrip
      224
    3. 3
      ATLien_0
      220
    4. 4
      +FloatingFatMan
      145
    5. 5
      Xenon
      135
  • Tell a friend

    Love Neowin? Tell a friend!