Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • End of an era? Kubuntu is removing default support for X11 in new installs by David Uzondu X11, the old window system whose days have long felt numbered, just saw another one of its major supporters head for the exit. Kubuntu has decided to follow its parent distro's lead, making its next release, version 25.10, a Wayland-only affair for fresh installs. It seems many Linux developers see Wayland as the future. Just recently, Linux Mint started working to improve support for the protocol in Cinnamon, tackling lingering issues with keyboard layouts and input methods. You can even see the progress in KDE's development, where an upgrade to Wayland PiP is planned for KDE Plasma 6.5. So what's the logic behind dropping a session that, for the most part, still works? According to Kubuntu's Rik Mills, the team wants to "rip off this sticking plaster" now, in an interim release, rather than ###### off a lot of people by doing it in the next Long-Term Support version, 26.04. The developers feel that maintaining code for the aging X11 system holds back progress on security and new features that Wayland can enable more easily. Plus, supporting two separate display servers is a massive undertaking. Of course, this change might have some people worried, but relax; all is not lost if you still need the old session. If you're running hardware that acts up, like some older NVIDIA cards, or who relies on an ancient application that doesn't play nicely with the XWayland compatibility layer, you can still get your familiar session back. Just enter the following command in your terminal: sudo apt install plasma-session-x11 Once that command finishes, the X11 session will appear as an option on the login screen, so you can carry on as before. As OMGUbuntu notes, not everyone in the Ubuntu family is following its lead just yet. Other official flavors like Xubuntu, Ubuntu Budgie, and Ubuntu Cinnamon are expected to keep offering an X11 session on their default installs for this cycle.
    • Mangohud hasn't been built into "Steam Deck", it has been built into SteamOS. I understand that your goal is to try and praise MS for a simple feature that everyone else has, but we are comparing OS vs OS. Hardware does not have anything "built-in". Software does. Like it or not, SteamOS has it "built-in". And it is far superior to XBOX game bar's information.
    • Please don't inject yourself into a discussion you did not read or understand what was said. No where did I say Windows was hard to use. I knew when seen two notifications with your handle the replies they were going to be a waste of time to read.
    • Exactly. The UI feels a lot snappier when animations are disabled. I think I might actually give it a try for a while, I'm liking it so far.
    • keep in mind some things like chrome look at this setting to disable some animations in browsers... its an accessibility thing
  • Recent Achievements

    • First Post
      Johnny Mrkvička earned a badge
      First Post
    • Week One Done
      viraltui earned a badge
      Week One Done
    • One Month Later
      serfegyed earned a badge
      One Month Later
    • Dedicated
      firey earned a badge
      Dedicated
    • Dedicated
      fettermanj earned a badge
      Dedicated
  • Popular Contributors

    1. 1
      +primortal
      648
    2. 2
      Michael Scrip
      223
    3. 3
      ATLien_0
      221
    4. 4
      Xenon
      145
    5. 5
      Steven P.
      142
  • Tell a friend

    Love Neowin? Tell a friend!