Information about EICAR and AMTSO tests

[MariuxReloaded]

Hello everybody 👋

Last week I put Defender and Malwarebytes Premium to test through EICAR and AMTSO (https://www.amtso.org/security-features-check/), just out of curiosity.

The results were almost the same (in some cases, MB blocked more threats than Defender, especially in the "Detects phishing pages" test), but, when it was the time of the "Detect compressed malware" test (this one: https://www.amtso.org/feature-settings-check-download-of-compressed-malware/), both security softwares failed in part, specifically with TARGZ. format and another compressed format that I can't remember now.

In addition to that, neither Defender nor Malwarebytes blocked the txt. file, the most classical antivirus test by EICAR.

Now, my questions are:

1) Not long ago I read on the web that MB does not block txt. malicious files. Is it true? If so, why does it not block them?

2 Are these tests reliable, even if they're standardized?

Thank you very much in advance 🙏

Edited June 2, 2023 by MariuxReloaded

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Porthos]

3 minutes ago, MariuxReloaded said:

Not long ago I read on the web that MB does not block txt. malicious files. Is it true? If so, why does it not block them?

Malwarebytes does not target script files during a scan.. That means MB will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.

It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Malwarebytes will block the execution of malicious files like these only with the anti-exploit module of the paid program.

[MariuxReloaded]

18 minutes ago, Porthos said:

 

Malwarebytes will block the execution of malicious files like these only with the anti-exploit module of the paid program.

 

Which, of course, was enabled during these tests.

So, as far as I understood, since Malwarebytes did not delete them after the scan, these files would have been blocked by MB only if I'd executed them?

Edited June 2, 2023 by MariuxReloaded

[Porthos]

2 minutes ago, MariuxReloaded said:

these files would have been blocked by MB only if I'd executed them?

Yes, but keep in mind,

 

[MariuxReloaded]

5 minutes ago, Porthos said:

Yes, but keep in mind,

 

Oh, thank you very much, Porthos, this is the final answer for my second question! 👍

That's why I've asked if EICAR and AMTSO tests were reliable or not 😏

Sorry if I missed this thorough explanation before opening this thread 🙏

[sp123]

@Porthos something must have changed since that announcement, as MBAM does indeed detect the EICAR test file both on scan and when I double-click it:

Though oddly clicking on "EICAR-AV-Test" just brings up a 404 and a redirect to the page on detections.

eicar.txt

Edited June 2, 2023 by sp123

[MariuxReloaded]

12 minutes ago, sp123 said:

@Porthos something must have changed since that announcement, as MBAM does indeed detect the EICAR test file both on scan and when I double-click it:

eicar.txtUnavailable

Then why was it not detected by Malwarebytes Premium on my laptop? 🤨

[sp123]

No idea. Is it have the .com extension?

[MariuxReloaded]

42 minutes ago, sp123 said:

No idea. Is it have the .com extension?

Oh no, sorry, my mistake 🙏

[David H. Lipman]

MBAM specifically targets PE binaries via signatures that start with the first two characters being; MZ
They can be; EXE, COM, CPL, SYS, DLL, SCR and OCX. Any of these file types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.  This includes file names that use Unicode Right-to-Left Override to obfuscate an executable file extension.

The EICAR test string is...

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

https://en.wikipedia.org/wiki/EICAR_test_file

Quote

Design

The file is a text file of between 68 and 128 bytes^[6] that is a legitimate .com executable file (plain x86 machine code) that can be run by MS-DOS, some work-alikes, and its successors OS/2 and Windows (except for 64-bit due to 16-bit limitations).

 

MBAM is not a historical anti malware solution.  That means it will not target old malware.  It's intent is to target 0-Day malware.  Malware that is infecting computers Today with malware found in-the-wild, Today.  That means that something like the BugBear which infected years ago will not be targeted by MBAM.  Malwarebytes will actually cull their signature database for malware that is no longer seen in-the-wild Today.   This is why Malwarebytes requests samples that are submitted for detection consideration be no older than 3 months old. 

 

 

Edited June 2, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar