Test your AV with a sample .js javascript file. Will your AV let you run it?


Recommended Posts

After the news story on the front page about New ransomware variant coded entirely on Javascript, exploits macros

 

I decided to do a test.

 

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Pasted it into notepad and saved it as hello.js

 

Then double clicked on Hello.js on the desktop and got this prompt

 

Capture.JPG.b767027a7445b81bac9ca6acc16d

 

So try it yourself and post your result of your Antivirus.

 

if it runs you should see a Microsoft JScript Compilation error

 

 

 

 

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

  On 21/06/2016 at 18:26, DaveLegg said:

I imagine most AV software wouldn't care, as it's clearly not malicious code that's going to trigger any of their heuristic scanning. There's not going to be any signatures that match such a simple and harmless script either. This is basically a useless test.

Expand  

Because the AV is relying on it's signatures to detect what's going to run inside the .js file, as a good rule of thumb an AV should stop and prompt you if you are sure you want to run the JS file.

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

 

  On 21/06/2016 at 18:45, er0n said:

A good AV will not detect this file as malicious. The file is NOT malicious, so any prompts are false positives, which confuse users and affect productivity in the workplace.

 

This thread should be deleted to avoid confusion.

Expand  

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

  On 21/06/2016 at 18:51, warwagon said:

 

I kind of like the fact that my AV "Secureaplus" prompts me about any js file, period.  If the AV you've described hasn't gotten the definition file yet, it allows it to run,. When are regular users needing to run js files on the desktop?

Expand  

That's not the point.

 

MOST people aren't security-savvy enough to know whether they should allow the file to run or not. Most scripts will be legitimate so the user will have to approve them in order to do what they want. They end up with alert-fatigue and will probably just approve everything.

 

MOST AVs have the ability to configure detection prompts for scripts or even unknown files.

 

Your posts suggests that your hello world script is a legitimate test for the effectiveness of an AV. Which it is certainly not!

 

Edit: And if you're convinced that users don't need to run these scripts, just disable the ability to execute them in Windows https://technet.microsoft.com/en-us/library/ee198684.aspx

  On 21/06/2016 at 18:50, er0n said:

Don't waste your time!

 

Expand  

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

Great! Good job!

  On 21/06/2016 at 20:04, purrcher said:

I actually decided to use the eicar test text instead and see what would happen. That was always caught as soon as I saved it as a .js file.

Expand  

http://www.eicar.org/download/eicar.com.txt

  On 21/06/2016 at 20:09, xendrome said:
Expand  

basically. What I did was I opened Notepad++ and pasted the sniped from http://www.eicar.org/86-0-Intended-use.html and then tried saving it as a ,js file.

This is well known by all antivirus products, and is nothing new. Of course they're going to catch it! If they didn't, then I'd be worried! Therefore, this thread is like a midget without an index finger....short and pointless.

Running Kaspersky Total Security, and the moment I save the file, it disappears, no error, but I tried it three times with explorer open in the background and it seems kaspsersky deleted it right away.

ClamAV on Linux picks it up.  If I recall correctly though, the EICAR test file should get picked up by just about any antivirus regardless of what you name it or what extension you give it, as long as that string of text is the first line of the file.

Screenshot from 2016-06-23 21:53:20.png

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Due to upgrade (PC built in summer 2023). Lian Li O11 Dynamic EVO Black be quiet! Pure Power 12 M 850W ASRock X670E Steel Legend AMD Ryzen 9 7950X3D Boxed G.Skill Trident Z5 Neo RGB F5-6000J2836G16GX2-TZ5NRW NZXT Kraken Elite 360 RGB Zwart 2x Lian Li UNI FAN SL120, 1-pack, Zwart, 120mm 2x Lian Li UNI FAN SL120, 3-pack, Zwart, 120mm Lian Li Universal Vertical Gen4 GPU Riser-kit) MSI GeForce RTX 4070 VENTUS 2X 12G OC WD Black SN850X (no heatsink) 1TB Lexar NM710 2TB M2 Network card Marvell AQC113 10G/5G/2.5G/1000M Current worth to build €2,805 Receipts and original boxes included Notes: Lian Li Universal Vertical Gen4 GPU Riser-kit was bought second-hand SPDIF port cable holder broke (but works) Never been overclocked (except EXPO values) Includes ASRock Thunderbolt 4 AIC in box (not been used due to too few internal USB ports) 2nd Lian Li UNI FAN SL120, 1-pack, Black, 120mm in box (no time to build in rear of case) I am asking €1,800 on a local marketplace in The Netherlands, and although it has been favorited 4x I am only getting lowball offers. It was first listed on May 14. Would I be more successful selling without the video card?
    • Lifetime subscription to Mail Backup X gets price dropped by 72% by Steven Parker Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save 72% off a lifetime subscription to Mail Backup X Individual. For most individuals and organizations, emails are the most critical part of daily activities and communications. Some of us realize the importance of backing up emails only when critical emails are lost for some reason. Plan ahead and safeguard your mail data today with a robust and reliable mail backup solution. Mail Backup X is a one-stop solution for mail backup, archiving, email management & mail conversion trusted by 42,000+ business and home users worldwide. Backup from major mail clients. Apple Mail, Microsoft Outlook, Office 365, Microsoft Exchange, Thunderbird, Postbox Backup from mail services. Gmail, Outlook.com, Yahoo, Gmx.de, Office365, Microsoft Exchange, or any service supporting IMAP protocol Archive file viewer. Quickly search & view your emails from archives Highly compressed archives. Save up to 3x storage space Import almost any mail archive. Files like .pst, .ost, .mbox, .olk, .eml, .rge, and more Mirror backup. Cloud storage (Google Drive, One Drive, Dropbox, Pcloud or FTP) or USB drive Restore. Restore direct to the server account or a separate server account Migration. Move all mails onto a new account in Office365 100% privacy. Encrypt & secure your data with military-grade aes 256-bit encryption and your own private key, so it's only visible to you Top-notch premium support. Get help that you need from experts Good to know Plan: Individual Edition Length of access: lifetime Redemption deadline: redeem your code within 30 days of purchase Access options: desktop Max number of devices: 2 Only available to new users Version: 2 Updates included A lifetime subscription to Mail Backup X normally costs $179, but you can pick this up for just $49.99 for a limited time - that represents a saving of $129 (72% off). For a full description, spec, and terms, click the link below. Get Mail Backup X (lifetime plan) for just $49.99 (was $179) Use coupon code SAVE20 at checkout to get this product for an additional 20% off We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • I will believe it when it happens. iOS 18 was heavily rumoured to be a massive overhaul with visionOS glass style UI elements. Never happened. I don't even believe the x26 naming scheme is real either, feels more like an April fools joke *shrugs* I'll be happy to be proven wrong. However, till Apple themselves say it's so I will remain skeptical.
  • Recent Achievements

    • Reacting Well
      brynmot earned a badge
      Reacting Well
    • Week One Done
      Al_ earned a badge
      Week One Done
    • Week One Done
      MadMung0 earned a badge
      Week One Done
    • Reacting Well
      BlakeBringer earned a badge
      Reacting Well
    • Reacting Well
      Lazy_Placeholder earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      477
    2. 2
      +FloatingFatMan
      274
    3. 3
      ATLien_0
      243
    4. 4
      snowy owl
      209
    5. 5
      Edouard
      182
  • Tell a friend

    Love Neowin? Tell a friend!