Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • WWDC 2025: Apple AirPods gain new remote control feature on iPhone and iPad by Aditya Tiwari Apple's annual developer event, WWDC 2025, is now up and running. Alongside the much-hyped Liquid Glass design for its software ecosystem, the Cupertino giant introduced new features for its wireless headphones. The AirPods Pro 2, AirPods 4, and AirPods 4 with Active Noise Cancellation (ANC) are being updated with studio-quality audio recording capabilities. Building on the Voice Isolation feature from last year, it allows users and content creators to record their content with greater sound quality. Apple has also improved voice call quality on these AirPods models to add "more natural vocal texture and clarity" when using FaceTime, CallKit-enabled apps, and regular phone calls. Meanwhile, the upgraded audio recording capabilities work across the Camera app, Voice Memos, dictation in Messages, video conferencing apps like Webex, and compatible third-party camera apps. You have already been able to use your Apple Watch as a wireless remote for your iPhone's camera. This capability is now available on AirPods Pro 2, AirPods 4, and AirPods 4 ANC. You can press and hold the stem of your AirPods to snap a photo or start and stop video recording. Apple AirPods already support head gestures when responding to the Siri voice assistant. You can nod your head to say yes or shake it horizontally to say no when responding to the virtual assistant. Now, you can also use your AirPods to capture content from a distance. "For users who like capturing themselves singing or dancing, the new features make it easy to perform in sync with a soundtrack while simultaneously recording the video," Apple said. The camera remote feature on AirPods works with the Camera app or supported third-party camera apps on your iPhone or iPad. These new AirPods features are now available for testing through the Apple Developer Program and will be offered through public beta next month. Their public rollout will happen later this year through a firmware update shipped alongside iOS 26, iPadOS 26, and macOS Tahoe 26.
    • Anyone remembers times when Apple already had everything glassy looking? I do and I didn't even use Apple products back then...
    • This app has become so bloated. I just want to see my money, send and receive it. Not offers and recommendations.
    • >it will be hiring 1,250 operators, technicians, and engineers to help manage the facilities Um, that's chump change employment numbers for any sector. Any word on what the cost will be to PA for "securing" this investment?! How much do the PA taxpayers have to eat?
  • Recent Achievements

    • Rookie
      CHUNWEI went up a rank
      Rookie
    • Enthusiast
      the420kid went up a rank
      Enthusiast
    • Conversation Starter
      NeoToad777 earned a badge
      Conversation Starter
    • Week One Done
      VicByrd earned a badge
      Week One Done
    • Reacting Well
      NeoToad777 earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      480
    2. 2
      +FloatingFatMan
      281
    3. 3
      ATLien_0
      255
    4. 4
      Edouard
      204
    5. 5
      snowy owl
      201
  • Tell a friend

    Love Neowin? Tell a friend!