Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Assuming you want the better GPU for gaming put the money into the GPU, the difference between the CPUs is negligible unless you're doing video encoding or similar. A 5700x3d/5800x3d would likely be a better CPU upgrade if you do decide to go that route. Have you tried running the RAM at 3200 or 3000 or bumping the voltage up a bit? It's unlikely to be "faulty" and more likely to just be an incompatibility with your motherboard or CPU memory controller. Having recently upgraded from a very similar system, that CPU is well balanced with a 3080 GPU, you might be able to pick up a decent secondhand one in your budget.
    • NAPS2 (Not Another PDF Scanner 2) 8.2.0 by Razvan Serea NAPS2 is a document scanning application with a focus on simplicity and ease of use. Scan your documents from WIA- and TWAIN-compatible scanners, organize the pages as you like, and save them as PDF, TIFF, JPEG, PNG, and other file formats. NAPS2 creates fully text searchable PDF files that can be imported and indexed within your document management system. NAPS2 is currently available in 40 different languages. NAPS2 key features: Scan documents using WIA- and TWAIN-compatible scanners Scan as many pages as you like from glass or ADF, including duplex support Rotate, flip, remove, and rearrange scanned pages Save as PDF, TIFF, JPEG, PNG, or other file formats Directly email PDFs Search through text included in your PDFs by using optical character recognition (OCR), in any of over 100 languages. Configure brightness, contrast, resolution, and other scan options Save your configurations as profiles to be easily reused later Optional command-line interface (CLI) for automation and scripting MSI installer and application-level configuration available for group policy (GPO) deployment Portable/standalone archives available Translations: English, Català, Čeština, Dansk, Deutsch, Español, Français, Hrvatski, Italiano, Magyar, Nederlands, Polski, Portugues, Russian, Ukrainian, Hebrew NAPS2 8.2.0 changelog: NAPS2 is now available on the Microsoft Store. It costs a small fee to support the developer and provide automatic updates. NAPS2 will continue to be freely available at www.naps2.com Added "Edit with" under the "Image" menu for using an external image editor Added "Share even when NAPS2 is closed" option for Scanner Sharing This will show a system tray icon and restart on login Imported file names are now used as the default file name when saving The "Apply to all selected" checkbox now stays checked Escl: Increased maximum time searching for devices from 5s to 60s Escl: Scanner IPs are now cached for faster and more reliable scanning Windows: Added an arm64 installer Windows: Replaced the "No friendly name" device name from some drivers with "Unknown Scanner" Mac: Fixed an issue where saved files didn't always have the right extension Mac: Disabled the "Apple Mail" email provider when not the default email reader Mac: Updated icons for Split/Combine Linux: Fixed issues with the Save dialog Download: NAPS2 (64-bit) | 43.5 MB (Open Source) Download: Portable NAPS2 8.2.0 | 61.9 MB Link: NAPS2 Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • I still remember a prediction that in the future, the BIOS will have all the necessary drivers... for any OS. Still not there
    • No mandatory.... Once again the one-way approach (only incentives or only detractors, or as they say 'the carrot or the stick') has proven ineffective.
  • Recent Achievements

    • Week One Done
      Al_ earned a badge
      Week One Done
    • Week One Done
      MadMung0 earned a badge
      Week One Done
    • Reacting Well
      BlakeBringer earned a badge
      Reacting Well
    • Reacting Well
      Lazy_Placeholder earned a badge
      Reacting Well
    • Dedicated
      Epaminombas earned a badge
      Dedicated
  • Popular Contributors

    1. 1
      +primortal
      477
    2. 2
      +FloatingFatMan
      274
    3. 3
      ATLien_0
      243
    4. 4
      snowy owl
      210
    5. 5
      Edouard
      182
  • Tell a friend

    Love Neowin? Tell a friend!