Archive for May 17th, 2020

Antivirus & Multiple Detections, (Sun, May 17th)

“When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?”.

I’m paraphrasing a question I’ve been asked a couple of times.

The answer depends on the sample file and the antivirus.

To illustrate this question, I made a sample file: a ZIP file containing the EICAR antivirus test file and mimikatz.exe.

The EICAR file appears first:

The different antivirus programs I’m familiar with, will report just one detection: EICAR or mimikatz.

Like ClamAV:

Here we can see that ClamAV detects EICAR, and not mimikatz. This is because of performance reasons, ClamAV will stop scanning a file after the first detection. However, ClamAV has an option to make it continue scanning after a match:

Using this option makes that ClamAV reports EICAR and mimikatz:

Do you know antivirus programs with a similar option? Please post a comment!


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →