Some virus scanner give virus alert for triddefs.zip and recognise "EICAR test
virus". So ClamAV scanner (
http://www.clamav.net/ ) version 0.99.1 says
"Eicar-Test-Signature FOUND".
The recognition happens from eicar.trid.xml by 68 byte pattern at position 0.
The facts are described at website eicar.org. So i add to XML file line:
<RefURL>
http://www.eicar.org/86-0-Intended-use.html</RefURL>
There it is written that specific 68 byte sized DOS program EICAR.COM only
prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and does not hurt the
computer. So mime type like for all DOS executables is done by line:
<Mime>application/x-dosexec</Mime>
When TrID definitions especially eicar.trid.xml are packed inside a def file
like triddefs.trd the hexadecimal representation of EICAR.COM apparently
is converted info 68 bytes which are recognized correctly by malware scanners as
virus.
So i split pattern in two parts. First part with 28 bytes from start contain
only x86 machine instruction to display some text. This should be considered by
scanners as harmless. The second pattern mainly contains only string starting
with characteristic word "EICAR". Hopefully this word combinations alone are
considered by scanner as harmless. Yes this consideration are true for the ClamAV
scanner. The annoying virus alert vanish with the updated eicar.trid.xml.
I hope my TrID file can be used in future version of triddefs as replacement.
With best wishes
J?rg Jenderek
