Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Patch My PC - Home Updater 5.2.3.0 by Razvan Serea Patch My PC Free is a reliable tool which can quickly check your PC for outdated software. The supported third-party programs include a large number of widely-used applications, including Adobe Reader, Mozilla Firefox, Java, 7-Zip, BleachBit, Google Chrome and many more. Patch My PC Home updater features: Updates over 500 common apps check including portable apps Ability to cache updates for use on multiple machines No bloatware during installations Applications install/update silently by default no install wizard needed Optionally, disable silent install to perform a manual custom install Easy to use user interface Change updated and outdated apps color for color blindness Option to automatically kill programs before updating it Create a baseline of applications if installing on new PC’s Quickly uninstall multiple programs Scan time is usually less than 1 second Set updates to happen on a schedule Skip updates for any application you don’t want to update Suppresses restarts when performing application updates Patch My PC - Home Updater 5.2.3.0 changelog: Startup Manager New tab to manage which apps launch at startup. This helps speed up your boot time and gives you control over what runs in the background. Generate Diagnostic ZIP You can now create a diagnostic ZIP file from the About page. This helps if you need to send logs on our support forum for Home Updater. Remove Portable Apps Right-click any portable app in the App Catalog or Uninstaller page to remove it directly. Applications Added FFmpeg (Full Shared) – Portable Fing G-Helper – Portable IntelliJ IDEA Community Edition K-Lite Basic Codec Pack K-Lite Full Codec Pack K-Lite Standard Codec Pack KeePass Password Safe v1 LibreOffice Help Pack MemTest86 – Portable Nexus Vortex Nvidia Profile Inspector – Portable Pale Moon – Portable ViVeTool – Portable WinCDEmu Windows PC Health Check Wise Video Converter Applications Removed Driver Easy Download: Patch My PC 5.2.3.0 | 54.8 MB (Freeware) Download: Patch My PC Portable | 31.0 MB (Portable) View: Patch My PC Free Homepage | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • "For starters, Microsoft Edge is getting a media control center. This feature is intended to let you control multiple media sources from any website in a single place." Oh, I've got this Media Control and couldn't find how to disable it. I hate it when a button appears on a toolbar where there was none just before I press Play. I probably would find it at least somewhat useful if I could start playing media from any opened tab, but now it only shows controls for media I've already started playing. If anyone knows how to disable it - I'd appreciate a hint.
    • Now that he turned on Trump and both sides hate him does anyone want this stupid thing?
    • This is what I thought of earlier today because it seems a bit stupid to have an iPhone 17 running iOS 26 (or iOS 2026 / or even iOS 25/2025). Just make it simple so that the year of the hardware release and the software release are in sync. I personally think they should go with 25 or 2025 (not 26 or 2026), but syncing the hardware and software version numbers could be easier to keep track of. At first, it will maybe be jarring due to all of the changes across the ecosystem, but from that point on it will be easier to keep track of.
    • my dad is experiencing the same thing except it's with Excel. the font became thin compared to windows 10, all the settings the same. i've chalked it up to it being that its connected via DVI instead of HDMI. is your setup the same? i have no technical reasons to believe it's DVI, just a plain guess since the other screen he's connected to seems better to me although may just be my mind playing tricks.  also, why don't you change the text size in accessibility? maybe this will help?   
  • Recent Achievements

    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      492
    2. 2
      +FloatingFatMan
      256
    3. 3
      snowy owl
      248
    4. 4
      ATLien_0
      224
    5. 5
      +Edouard
      189
  • Tell a friend

    Love Neowin? Tell a friend!