Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Antivirus & Multiple Detections SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Antivirus & Multiple Detections

"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?".

I'm paraphrasing a question I've been asked a couple of times.

The answer depends on the sample file and the antivirus.

To illustrate this question, I made a sample file: a ZIP file containing the EICAR antivirus test file and mimikatz.exe.

The EICAR file appears first:

The different antivirus programs I'm familiar with, will report just one detection: EICAR or mimikatz.

Like ClamAV:

Here we can see that ClamAV detects EICAR, and not mimikatz. This is because of performance reasons, ClamAV will stop scanning a file after the first detection. However, ClamAV has an option to make it continue scanning after a match:

Using this option makes that ClamAV reports EICAR and mimikatz:

Do you know antivirus programs with a similar option? Please post a comment!

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

449 Posts
ISC Handler
I have never seen this always the AV shows the two malicious files.
MESAYED

1 Posts
Hello.
What does VirusTotal say about your file?
S3cN3tSys

1 Posts
Click on the first link in my diary entry and you'll see VT's analysis.
DidierStevens

449 Posts
ISC Handler
Hi.. Now I'm interested.. Mainly free Avast (private user and trying to keep up where we "good guys" stand..

I'm just a single user (admin, 6 comps, including sandbox juat to pass time) But this was awakening for a while... I'll need to check my comps for a possible breach.. Alienvault OSSIM/SIEM employed, but need to restrict somethin.. Ty for sharing.
Teemu

10 Posts

Sign Up for Free or Log In to start participating in the conversation!