[NIS 17.1] Eicar virus test problem

Hi everyone,
I have 2 pc both with Vista SP1 32bit and NIS 2010 17.1.
In the last two days when I open the link:
htt*p://www.eicar.org/download/eicar.com.txt (remove *)
Nis doesn’t find the virus until I try to save the page. Before Nis blocked the virus test at the loading of the page.

Is it normal?

Thanks in advance for replies.

Message Edited by Axios on 11-25-2009 07:47 PM

Hi everyone,
I have 2 pc both with Vista SP1 32bit and NIS 2010 17.1.
In the last two days when I open the link:
htt*p://www.eicar.org/download/eicar.com.txt (remove *)
Nis doesn’t find the virus until I try to save the page. Before Nis blocked the virus test at the loading of the page.

Is it normal?

Thanks in advance for replies.

Message Edited by Axios on 11-25-2009 07:47 PM

Your first and third option are the same on my pc.
Is the second option the problem. Before the last two days opening the .txt in Opera was the same that opening the .com file -> immediately blocked by NIS. Now the .txt is not blocked until I press Save button on Opera…


Axios wrote:
Your first and third option are the same on my pc.
Is the second option the problem. Before the last two days opening the .txt in Opera was the same that opening the .com file -> immediately blocked by NIS. Now the .txt is not blocked until I press Save button on Opera...

I suspect this may be due to the process of getting it displayed on the screen.  If the display process requires it first be passed to a temp file as a coherent file itself, it will almost certainly be detected.  However, if what is happening is simply that characters are being displayed on the screen without going through the temp filter, then they are ignored.  Now if those characters were to be pushed in memory as a coherent string to be acted upon, it should (probably would) be picked up by whatever security detectors are in place.

 

All supposition on my part.

 

Edit:  Yes, I am not forgetting that your query is about the change you are experiencing in when something happens.  It could be a change resulting from an update to NIS.  It could be a change in how Eicar presents the data.  Perhaps a Symantec technician will stop by and be interested enough to give a firm answer.

Message Edited by mijcar on 11-25-2009 12:32 PM

Hi Axios,

 

What you are seeing is due to the way that Firefox renders files with a .txt extension.  Firefox will display such a file as plain text.  Internet Explorer, on the other hand, will attempt to ascertain what the file might otherwise contain and will open the file accordingly.  So when you open Eicar.com.txt with Firefox, Norton will not alert you, since this is rendered as harmless text.  If you instead download and save Eicar.com.txt to your hard drive, Norton will, in fact block it.  If you open Eicar.com.txt in IE Norton blocks it because IE is ignoring the server's "plain-text" file designation and opening the "virus."  Firefox is adhering to HTTP specifications by not trying to guess what the content of the file might be and is therefore actually safer.  

 

So there is no issue here with Norton.  It is entirely based on the actions that your browser takes when the actual content of a file does not agree with the MIME type that the server is reporting for the file.  You can read more about this here:

 

https://developer.mozilla.org/en/Properly_Configuring_Server_MIME_Types

 

 

EDIT:  A new version of Opera was released this week.  Perhaps your Opera has updated and the new version is treating MIME types differently than  it had before as explained above.

Message Edited by SendOfJive on 11-25-2009 11:42 AM
Message Edited by SendOfJive on 11-25-2009 12:06 PM

the problem appear before the Opera update. I think a change in NIS definitions, because eicar site doesn’t show any update or news about a change in eicar test file.

Following up my previous post, Opera by default will render a file according to its MIME type, as Firefox does.  It can be configured by the user, however to open files as IE does, ignoring the MIME type and opening the file based on what the file is in actuality.

 

From the Opera Website:


 

By default, Opera will determine how to handle a file by its MIME type. MIME types are descriptions used by Web servers to identify files to browsers. This is the most secure way of receiving content on the Internet. There is a second option, however; you may choose to let Opera determine use the file's extension to decide which action to take when the MIME type is not reliable. This option is less secure than the default.

 

Some MIME types are intended as generic types, such as "text/plain" and "application/octet-stream". If a server is not specifically set up to handle a certain kind of content, these generic MIME types are often used. This means that sometimes a video file in an MPEG format will be sent using the "text/plain"MIME type. If you have chosen to determine action by file extension, Opera will nevertheless recognize the video file's extension (such as ".mpg"), and handle it according to your settings for .mpg files.

 

However, sometimes the file type indicated by the extension is not the file type that the browser interprets. This is due to an HTTP header called "content-disposition," which can assign a new name to the file you are downloading. Therefore, if you enable the option to determine file type by extension, pay close attention to the file name in "Open" and "Save" dialog boxes and make certain the file is not of a different kind than expected. If it is, do not open or run the file.


Message Edited by SendOfJive on 11-25-2009 12:01 PM

Axios wrote:

[...] In the last two days when I open the link [...]


 


Axios wrote:
the problem appear before the Opera update. I think a change in NIS definitions, because eicar site doesn't show any update or news about a change in eicar test file.

 

 Since the file is detected when saved to disk, the behavior change can't be due to a change in the NIS definitions. Your original post indicates that the problem only started occurring in the last couple of days yet in a latter post you indicate that the problem occurred before the Opera update. Are you sure that the detection occurred with the previous version? As indicated previously in this thread, the behaviour change may also be due to a setting in Opera.

 


 

SendOfJive wrote:

Hi Axios,

 

What you are seeing is due to the way that Firefox renders files with a .txt extension.  Firefox will display such a file as plain text.  Internet Explorer, on the other hand, will attempt to ascertain what the file might otherwise contain and will open the file accordingly.  So when you open Eicar.com.txt with Firefox, Norton will not alert you, since this is rendered as harmless text.  If you instead download and save Eicar.com.txt to your hard drive, Norton will, in fact block it.  If you open Eicar.com.txt in IE Norton blocks it because IE is ignoring the server's "plain-text" file designation and opening the "virus."  Firefox is adhering to HTTP specifications by not trying to guess what the content of the file might be and is therefore actually safer.  

 


Umm.... IE also renders .txt as plain text format.  Where did you get that info?  I have tried opening the .txt file with ie and no Norton detection as well.

 

Edit: OK I'm mistaken.  IE renders the text as plain text format but Norton detected the "virus".

Message Edited by Wikipedian on 12-01-2009 12:11 AM

As a demonstration of how different browsers will render a file when the MIME type does not agree with the actual file content, open the following attachment first with Firefox and then with Internet Explorer.  The file is actually a .jpg image of SendOfJive’s lap cat with the file extension renamed .txt.  This is exactly what happens with eicar.com.txt.  Firefox correctly renders only plain text as the MIME type instructs.  Internet Explorer on the other hand, sees that the file really isn’t a plain text file and “corrects” for this and launches the virus.  Norton behaves as the need warrants in either case, blocking the virus execution but not the plain-text page; and as mentioned, Norton will block Firefox from actually saving the eicar file to disk .

Message Edited by SendOfJive on 11-30-2009 06:22 PM

"BTW, I attempt to analyze the zip file using an up-to-date malwarebytes and got a "clean" billing."

 

Some time ago it was stated on malware bytes forum that eivar wil not be flagged.


SendOfJive wrote:
As a demonstration of how different browsers will render a file when the MIME type does not agree with the actual file content, open the following attachment first with Firefox and then with Internet Explorer.  The file is actually a .jpg image of SendOfJive's lap cat with the file extension renamed .txt.  This is exactly what happens with eicar.com.txt.  Firefox correctly renders only plain text as the MIME type instructs.  Internet Explorer on the other hand, sees that the file really isn't a plain text file and "corrects" for this and launches the virus.  Norton behaves as the need warrants in either case, blocking the virus execution but not the plain-text page; and as mentioned, Norton will block Firefox from actually saving the eicar file to disk .
Message Edited by SendOfJive on 11-30-2009 06:22 PM

You might also try right-clicking on each link and choosing to save link as the default is given.  IE chooses to save it as Send of Jive   Cat 17.jpg and FF as Send of Jive Cat 17.txt.

My error: I don’t know that Opera auto update installed silently version 10.01. So when I downloaded 10.10 I think that my current version was 10.00 and not 10.01. So I think that the change was made in Opera 10.01 and is also in Opera 10.10

Excuse me for the error.

Hi Axios,

 

I'm pretty sure that the default for all recent versions (possilby all versions entirely) of Opera is to follow the MIME type.  This is sort of a fundamental behavior that would be adopted by the browser developers and not changed from one release to the next.  So I very much doubt this had anything to do with you updating to a new version.  

 

I would more likely suspect that when you got a Norton alert for eicar while using the Opera browser you had actually downloaded one of the other three eicar files (eicar.com, eicar com.zip, or eicarcom2.zip) rather than eicar.com.txt.  Eicar.com.txt is the only file that would display as plain text in Opera and not kick Norton into action.  Accidentally clicking eicar.com instead of eicar.com.txt would be a very easy thing to do and would explain why Norton reacted.  Possible?  

before Opera 10.01 and 10.10 Norton autoprotect eliminate eicar.txt. I’m sure.