EICAR

Tags: security, my server.
By lucb1e on 2011-12-14 20:02:29 +0100

The EICAR test file [is a file] to test the response of computer antivirus (AV) programs. The rationale behind it is to allow [you] to test [AV software] without having to use a real computer virus that could cause actual damage should the AV not respond correctly. (From wikipedia.org). Also it's often much easier to create an EICAR file than find real malware.

Do not ever put this file on your domain. You'll be banned from the web by companies like Bitdefender. They'll detect some sort of virus and just instantly block the entire domain, not caring whether it does actually any harm.

I used this file to test something, after which I left it in a public directory incase I or anyone else needed it again. I used to have to look the file up and create it every time again, having it in a directory was more convient.
Unfortunately though, it turns out the braindead security companies' scanners thought differently about serving this file.

Thanks to an e-mail from Bjarno I discovered the block quite quickly and was able to prevent more scanners from picking it up. It seems only ParetoLogic detected it, after which Bitdefender blocked my website as well. So if ParetoLogic would block bitdefender.com, I'd laugh really hard if bitdefender then blocked themselves.

First thing I did was remove the file, then I sent an e-mail to both of the companies. ParetoLogic automatically replied to acknowledge they had received the request and they would look into it. Two days later I received an e-mail that they forwarded it to their "SWAT" team (malware analysis team). Slightly slow for a forward, but at least they do something. Mind how Bitdefender at this point hasn't even told me they had received the message.
Sure enough, another 2 days later (today) I received an e-mail from ParetoLogic again that the domain was reviewed and rated clean. Checking on Virustotal, they indeed classify it as a clean website now.

Bitdefender on the other hand neither replied nor has taken any action yet. Meanwhile my domain is getting many requests by different IPs from different countries for the file, which is 404'ing since the moment I received the message from Bjarno.

Conclusions from this:
- Think about what you put online, if it concidered bad in any way (even though you meant to help others) you may get nothing but trouble from it;
- While ParetoLogic might be a little strict and quick to block a domain, their customer service at least works;
- Bitdefender is retarded and should be boycotted.


Update: Apparently you're supposed to post on the public board from BitDefender. Bjarno was kind enough to do this for the EICAR issue and again when they somehow had a false-positive on this domain. I don't know which file caused the false positive (couldn't get them to tell me), but this time they did reply to my e-mail. Too bad they were two days late, they already reanalyzed and rated the domain clean, even though Bjarno's post on their forums wasn't much earlier than my e-mail.
lucb1e.com
Tip others about this page:   Share via Facebook  Share via Twitter  Share via Google+  Submit to Reddit  Recommend at StumbleUpon  Share by e-mail Submit at Hacker News


Comments:
Comments powered by Disqus
Another post tagged 'my server': IPv6 adoption

Look for more posts tagged my server or security.

Previous post - Next post