Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I'm old I guess, first thing I think of is just regular input/output.
    • Now, kids, Dan O'Dowd is what we call a professional hater.
    • Billionaire slams 'Tesla Cultists' for praising Robotaxi, says it's 5+ years behind Waymo by David Uzondu Image via Depositphotos.com The Tesla Robotaxi program has kicked off in Austin, Texas, and reactions are pouring in from all corners of the internet. A select group of investors and influencers have been invited to try the service, which operates within a limited area of South Austin for a price of $4.20. While the vehicles are operating without anyone in the driver's seat, the program has specific rules for this pilot phase, including a human "safety monitor" who rides along in the passenger seat just in case things go sideways. Of course, the launch did not go unnoticed by Tesla's most vocal and well-funded critic, Dan O'Dowd. O'Dowd is the billionaire founder of a group called The Dawn Project, which has dedicated itself to highlighting what it calls critical safety failures in Tesla's Full Self-Driving software. He refers to himself as an expert in creating "unhackable" software for military and aerospace clients, and ran for U.S. Senate back in 2022 on a single-issue platform: to "make computers safe for humanity" by banning Tesla's FSD. In 2023, He was banned from advertising on X after He made promoted posts that show Tesla FSD among other things, failing to stop at Stop signs. Last year, his group, The Dawn Project, paid for a Super Bowl ad, where a Tesla equipped with FSD did not act on a child-sized mannequin in the road. That commercial ends with a message, urging parents to "boycott Tesla to keep your kids safe." Today, O'Dowd took to X to slam the launch of the Robotaxi service, saying the "Tesla Cultists are celebrating victory" over a system he believes is years behind the competition (especially Waymo). He pointed out that with only fourteen cars operating for half the day, the system was already making significant errors, a rate he claims is consistent with community-tracked FSD data. The videos shared by the creators (Rob Maurer and Ed Niedermeyer), O'Dowd mentioned in his post, appear questionable, depending on your perspective. In Maurer's video, a trip that was otherwise smooth had a few unnerving seconds of the vehicle slightly swerving into the wrong lane, correcting itself, swerving again, correcting itself, and then finally settling. The other video from Ed Niedermeyer shows something entirely different. Niedermeyer captured a Tesla Robotaxi approaching an "extensive crime scene" with multiple police vehicles parked on the side of the road. On his personal Bluesky account (Ed stopped posting on X late last year, in protest of Musk), He claims the Tesla braked hard twice for no clear reason. In his commentary, Niedermeyer argued the car "shouldn't react to any of these police vehicles," and that it was concerning how it reacted to some but not others, before stopping in the "middle of the road instead of defaulting to a minimal risk condition."
    • Arch is now also using Wayland as the default session for Plasma 6.4, with X11 session becoming optional (so upgrading to Plasma 6.4 on X11 Arch might need manual intervention). It's been well over a decade in making, but I guess the time for Wayland to be the default is finally upon us.
  • Recent Achievements

    • Week One Done
      ravenmanNE earned a badge
      Week One Done
    • Conversation Starter
      Brett76 earned a badge
      Conversation Starter
    • One Month Later
      Miguel Batista earned a badge
      One Month Later
    • Dedicated
      moojay67 earned a badge
      Dedicated
    • One Month Later
      Jim Dugan earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      662
    2. 2
      Michael Scrip
      229
    3. 3
      ATLien_0
      216
    4. 4
      Steven P.
      147
    5. 5
      Xenon
      141
  • Tell a friend

    Love Neowin? Tell a friend!