Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Lets assume that we are capitalists and right wing people for a sec. - The individual should be able to accrue wealth and no government should limit that wealth growth. - That same individual should not be taxed any higher than the average person. Tax is a socialist construct to help those in that country who are less fortunate, and it limits wealth growth. - This individual should be able to do whatever they want to do with their money and have no restrictions, as it would otherwise limit wealth growth. So having said all that with the mindset of a capitalist and small government political leaning, he can do what he want with it. Some billionaires have little pet projects to inflate their self worth like rocket ships and stuff, this is just a bit different is al, and probably the more compassionate of choices. I think he's seen a need, and that need isn't in the USA.
    • I'm concerned about this, too. How can he make sure that the money is actually used for good instead of ending up in the pockets of crooked politics and warlords? I think that's a problem.
    • Sony unveils its first fight stick 'Project Defiant', supports PC and PS5 by Pulasthi Ariyasinghe In a surprise twist, Sony announced a new piece of hardware at its State of Play presentation today. Currently going by the codename Project Defiant, it is Sony's first attempt at making a fight stick. Considering the company is currently partnered with Marvel to make a first-party fighting game featuring heroes and villains from the popular comic universe, this seems to be the right time to unveil the project. As seen in the teaser trailer above, the wireless fight stick follows the modern black and white PlayStation hardware style of the consoles and standard gamepad controllers. The controller will ship with a toolless design for changing the restrictor gates, with square, circle, and octagon options incoming for the stick. Meanwhile, the buttons are confirmed to have mechanical switches. Plus, a dedicated touchpad, much like on the DualSense controller, is available on the top of the fight stick. "It’s built in a sturdy, ergonomic design for a comfortable feel during intense fight sessions," adds the company. Sony is leveraging its PlayStation Link technology in the device. With it, the company is promising ultra-low latency wireless connectivity, making sure it provides players "precise in-game response to each button press and digital stick movement." Interestingly, PlayStation Link is Sony's proprietary wireless connectivity standard designed for PlayStation 5's audio transmissions, which is now being used a little differently for this piece of hardware. The controller has built-in storage for holding both the restrictor gates and the PS Link USB adapter. As expected, a wired connection is also possible, with a USB-C port available on the device for connecting to a PlayStation 5 or PC. To make sure the device remains in good condition during travel, Sony is throwing in a sturdy sling carry case with each Project Defiant fight stick. More details, like the official name, internal hardware, release date, and most importantly, price, will be revealed later. The hardware has a 2026 launch window right now.
  • Recent Achievements

    • First Post
      James courage Tabla earned a badge
      First Post
    • Reacting Well
      James courage Tabla earned a badge
      Reacting Well
    • Apprentice
      DarkShrunken went up a rank
      Apprentice
    • Dedicated
      CHUNWEI earned a badge
      Dedicated
    • Collaborator
      DarkShrunken earned a badge
      Collaborator
  • Popular Contributors

    1. 1
      +primortal
      351
    2. 2
      snowy owl
      167
    3. 3
      +FloatingFatMan
      164
    4. 4
      ATLien_0
      162
    5. 5
      Xenon
      128
  • Tell a friend

    Love Neowin? Tell a friend!