Testing and reporting the issue of anti-virus scanning file uploads on web applications. - originally had animations to be more Q&A - see also http://www.exploresecurity.com/testing-for-anti-virus-on-file-upload

1. Anti-Virus Checking on File Upload
Testing and reporting the issue for web applications
Jerome Smith
15 May 2015

2. Methodology
Process
• Upload file…
• …and then download it!
• While upload may apparently succeed, download may fail (file empty etc.)
• Is the downloaded file the same?
• May be renamed
• Hashing constitutes good evidence
• If download unsupported, you can only speculate if upload produces no errors
Which file?
• Netcat?
• Metasploit payload?
• CryptoLocker?
• EICAR test file

3. EICAR
What % hit rate do you think this file got on VirusTotal?
• About 10% (6 out of 57)*
• AegisLab, Ikarus, Qihoo-360, SUPERAntiSpyware, TrendMicro and
TrendMicro-HouseCall
• So not a fair file with which to test someone’s AV capability!
* at 13/05/15 (and all other stats)

4. EICAR
Okay, what about this one?
• 95% (53 out of 56)

5. EICAR
And this one?
• 0% (0 out of 57)
• Document contains the signature but the raw file does not

6. EICAR
Now what about this one?
• 86% (49 out of 57)
Here’s the previous one:
• 95% (53 out of 56)

7. The EICAR Test File
http://www.eicar.org/86-0-Intended-use.html
• “The file is a legitimate DOS program”
• Its contents are printable ASCII but it is executable!

8. The EICAR Test File
http://www.eicar.org/86-0-Intended-use.html
• “Any anti-virus product that supports the EICAR test file should detect it in
any file providing that the file starts with the following 68 characters, and is
exactly 68 bytes long”
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
• “The first 68 characters is the known string. It may be optionally appended
by any combination of whitespace characters with the total file length not
exceeding 128 characters. The only whitespace characters allowed are the
space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses
only upper case letters, digits and punctuation marks, and does not include
spaces.”
• So that last eicar.txt file ending with a CRLF was still a valid EICAR file

9. What’s in a name?
• “Any anti-virus product…should detect it in any file …”
• So filename should be irrelevant
• eicar.com renamed to:
• eicar.gif
• eicar.pdf
• a.b
• Same VirusTotal result
• Phew, otherwise of course malware could just be renamed to escape detection

10. Back to the EICAR Quiz
• The Word document from earlier had no hits
What if we prepend the EICAR signature?
• 46% (26 out of 56)
• “…providing that the file starts with the following 68 characters…”
• Signature instead added as last bytes = 1 out of 57
• Signature instead inserted in the middle(ish) = 1 out of 57

11. Play your eiCards Right
• These Word files were 12,772 bytes – a lot more than 68
• “…It may be optionally appended by any combination of whitespace
characters with the total file length not exceeding 128 characters…”
• Recall original document with signature prepended
• 46% (26 out of 56)
• Truncated to 112 bytes
• 61% (34 out of 56)
• Size right but characters after signature include non-whitespace
• Whitespace after signature
• 81% (46 out of 57)
• Corrupt whitespace with “test” at offset 0x50
• 75% (43 out of 57)

12. Signature Context
• Recall when signature added as last bytes to document
• 2% (1 out of 57)
• Shortened to last 112 bytes with whitespace preceding
• 14% (8 out of 57)
• Interrupt whitespace with “test” at offset 0x10
• 5% (3 out of 57)

13. Other Factors
• Let’s return to the original Word document with no hits
• Let’s PDF it
• No hits
• Recall Word document with EICAR signature prepended
• 46% (26 out of 56)
• PDF file with EICAR signature prepended
• 54% (31 out of 57)
• Similar effect on hit rate when the signature is moved, the file truncated etc.
• PDF from EICARgen (http://blog.didierstevens.com/programs/eicargen/)
• PDF opens a text document containing EICAR – essentially eicar.txt
• Just like ZIP files, this embedded file can be detected – PDF Stream Objects
• 55% (31 out of 56)

14. So what?
• As always, produce as much evidence as possible
• When speculating, say so!
• Client may be able to fill in the gaps, although ensure the report makes that clear!
• A screenshot of the test file used run through VirusTotal is great evidence
• Ensure the major AV players detect the file
• SHA-256 hash is part of the output: hash downloaded file to be sure

15. So what?
• In general, the closer a file meets the EICAR spec, the better the hit rate
• More than just a signature
• Location
• File size
• Other bytes
• Beyond this, who knows what logic differences account for different scanners results?
• For testing AV on upload, renaming the original EICAR file is the best approach
• But then file is no longer valid for most formats (PDF, JPG, DOCX etc.)
• If the app is doing file header analysis, file may be rejected
- Possible false negative if interpreted as AV working
- As EICAR signature preference is for the start, what can you do?
• If text files are supported, always use the original EICAR file as a .txt
• Many AVs detect EICAR overzealously with reference to spec
• To meet (misinformed) expectations?
• Is this dangerous behaviour? Could it be exploited?