cancel
Showing results for 
Search instead for 
Did you mean: 

Penetration test - Eicar Test file

Jump to solution
Hi, We recently had a penetration test where the tester pasted the Eicar test string into and Excel spreadsheet and saved it to the local disk on a windows 10 workstation. Mcafee ENS was installed and configured to scan all files but didn't detect the Eicar string in the Excel file xlsx. I have since tested this and also word and wordpad and neither of the files are detected. Creating a txt file with the string is detected and the file is deleted as per settings withing ENS. The final report post pentest Eicar.org states The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters Im assuming that Excel, Word and Wordpad are inserting characters (before the string) moving the test string past the 128 character count and not using whitespace characters. Anyone have thoughts on the test done by the pentester, is it invalid if done the way he did? Thanks in advance
1 Solution

Accepted Solutions
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Penetration test - Eicar Test file

Jump to solution

@onmenogin The hypothesis presented is fully accurate: "Excel, Word, and Wordpad are inserting characters (before the string)."

   By definition for EICAR detection, it must be the first 68/128 bytes of the document for the test detection to trigger. This is not a vulnerability, but something as design by the bounds of what constitutes an EICAR test.

   You can prove this by opening a EICAR.txt file and the .docx (or other format) version in Notepad++ and you will see that there is pk header information in the .docx that causes it to not meet EICAR test standards, wherease the .txt will plainly show the EICAR string characters at the front of the file. Also, you can see in the Wiki article for EICAR that only the documented hashes will be detected, so if the hash of their test file doesn't match....it won't be detected Smiley Happy

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

 

5 Replies

Re: Penetration test - Eicar Test file

Jump to solution

Oops i clicked send a bit to early,

The final report includes this issue as a vulnerability. 

Now i have to prove that his test was invalid as it does not follow the Eicar test file guidelines.

McAfee Employee johma
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: Penetration test - Eicar Test file

Jump to solution

HI, 

In addition to other posted responses. Also you will not detect EICAR.TXT when ENS is installed when saving the string out to a .TXT file. 

This is part of the scan avoidance technology. as we fully expect notepad to be saving "text" to .TXT files these will not be scanned when saved. 

VSE scanning all files will detect this. 

As you are using ENS, then save the same txt string from notepad to a .EXE file, we would not expect notepad to be writing/creating .exe files so this would be scanned.

 




Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Penetration test - Eicar Test file

Jump to solution

For clarity, ENS will still/can still detect it if configured to scan .txt for the purpose of testing or otherwise.

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Penetration test - Eicar Test file

Jump to solution

@onmenogin The hypothesis presented is fully accurate: "Excel, Word, and Wordpad are inserting characters (before the string)."

   By definition for EICAR detection, it must be the first 68/128 bytes of the document for the test detection to trigger. This is not a vulnerability, but something as design by the bounds of what constitutes an EICAR test.

   You can prove this by opening a EICAR.txt file and the .docx (or other format) version in Notepad++ and you will see that there is pk header information in the .docx that causes it to not meet EICAR test standards, wherease the .txt will plainly show the EICAR string characters at the front of the file. Also, you can see in the Wiki article for EICAR that only the documented hashes will be detected, so if the hash of their test file doesn't match....it won't be detected Smiley Happy

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

 

Re: Penetration test - Eicar Test file

Jump to solution

Thanks to your Replies,

Much appreciated.

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.