Antivirus & Multiple Detections

Published: 2020-05-17. Last Updated: 2020-05-17 21:08:39 UTC
by Didier Stevens (Version: 1)
4 comment(s)

"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?".

I'm paraphrasing a question I've been asked a couple of times.

The answer depends on the sample file and the antivirus.

To illustrate this question, I made a sample file: a ZIP file containing the EICAR antivirus test file and mimikatz.exe.

The EICAR file appears first:

The different antivirus programs I'm familiar with, will report just one detection: EICAR or mimikatz.

Like ClamAV:

Here we can see that ClamAV detects EICAR, and not mimikatz. This is because of performance reasons, ClamAV will stop scanning a file after the first detection. However, ClamAV has an option to make it continue scanning after a match:

Using this option makes that ClamAV reports EICAR and mimikatz:

Do you know antivirus programs with a similar option? Please post a comment!

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
4 comment(s)

Comments

I have never seen this always the AV shows the two malicious files.

Anonymous

May 18th 2020
4 years ago

Hello.
What does VirusTotal say about your file?

Anonymous

May 18th 2020
4 years ago

Click on the first link in my diary entry and you'll see VT's analysis.

Anonymous

May 18th 2020
4 years ago

Hi.. Now I'm interested.. Mainly free Avast (private user and trying to keep up where we "good guys" stand..

I'm just a single user (admin, 6 comps, including sandbox juat to pass time) But this was awakening for a while... I'll need to check my comps for a possible breach.. Alienvault OSSIM/SIEM employed, but need to restrict somethin.. Ty for sharing.

Anonymous

May 18th 2020
4 years ago

Login here to join the discussion.


Top of page
Diary Archives