> response. Oh, and in case you're wondering, there was only a difference > of one byte between our copies of EICAR.COM. Mine terminated in an <LF>, > Ed's in a <CR><LF>. That can be significant. There've been quite a few differences in implementation in detection of the EICAR test file over the years, and it's been known for a product to fail precisely because of the length of the file. Other anomalies have included a surprising degree of pattern-matching fuzziness, and undue flexibility about positioning. The spec. requires the EICAR string to be right at the beginning of the file, but doesn't specify whether anything can follow it. There was even an instance a few years back of a scanner which alerted on an informatory text file containing the EICAR string somewhere in the middle. Hopefully, all current scanners handle the EICAR string 'correctly'. But I wouldn't bet the family jewels on it. You're right, by the way: there is anti-virus software which only scans a file for known viruses if integrity checking flags a change. -- David Harley <D.Harleyat_private> <harleyat_private> | <D_Harleyat_private> <http://www.sherpasoft.org.uk/> .sig under re-construction.....
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:29 PDT