Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • keep in mind some things like chrome look at this setting to disable some animations in browsers... its an accessibility thing
    • I always disable animations in Windows using sysdm.cpl and yes, it feels faster. I have also reduced animations in my android phone using dev options.
    • Neowin's servers (hosted in the UK).
    • MacOS isn't Linux, but Proton is modified WINE, and WINE runs on MacOS. They would just need to add something like Box86 or Rosetta support.
    • PicPick 7.4.0 by Razvan Serea PicPick is user friendly and full of features for creating your image, suitable for software developers, graphic designers and the home user. It is an all-in-one program that provides a full-featured screen capture tool, intuitive image editor, color picker, color palette, pixel ruler, protractor, crosshair and even whiteboard. It not only has everything that you need, but it loads fast, and sits quietly in the system tray until needed. This software is provided as freeware for personal use only. In this case, you are granted the right to use this program free of charge. Otherwise, you need to pay for a license for commercial use. PicPick key features: For All Windows (Fully support Windows 11, 10, 8.1, 8, 7, Vista and XP both 32-bit and 64-bit) Multi-language is supported. (MORE 28+) All functions are fully supported on a dual screen environment. No Registry, No access to System folder (you can copy these files to portable USB) Screen Capture Auto-scroll, dual monitors and sound effect are supported Various output to File, Printer, Office programs, External program Sharing to FTP, Web, E-mail, Facebook and Twitter are supported as well Full Screen Active Window Window Control Scrolling Window Region, Fixed Region FreeHand Repeat Last Capture Image Editor Intuitive User Interface Windows Ribbon style Standard drawing, shapes, arrows, lines, text, and etc. Blur, sharpen, hue, contrast, brightness, pixelate, rotate, flip, frame effect and etc. Color Picker and Color Palette various color code type (RGB, HTML, C++, Delphi) Photoshop style RGB/HSV conversion is supported. Pick and Save your favorite color! Screen Pixel Ruler Horizontal and vertical orientation various units (Pixels, Inches, Centimeters) DPI setting (72, 96, 120, 300) colorful gradient skins You don't have to install any other screen ruler softwares. Screen Magnifier Zoom 2x to 10x option Stay on top, smooth display, and sizeable window Screen Protractor Have you seen any screen protractor function in other software? Screen Crosshair For aligning objects in graphics or design applications For calculating relative coordinates on screen Some prefer to use this tool than a pixel-ruler. Whiteboard For giving a presentation or just drawing something on screen PicPick 7.4.0 changelog: Added support for saving in WebP file format Added horizontal scrolling in the Image Editor with Shift and mouse wheel Fixed control capture failing to detect specific windows Fixed focus loss during delayed active-window captures. Download: PicPick 7.4.0 | 74.9 MB (Free for personal use only) Download: Portable PicPick 7.4.0 | 73.3 MB View: PicPick Home page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

  • Popular Contributors

    1. 1
      +primortal
      651
    2. 2
      Michael Scrip
      224
    3. 3
      ATLien_0
      222
    4. 4
      Xenon
      146
    5. 5
      +FloatingFatMan
      142
  • Tell a friend

    Love Neowin? Tell a friend!