Several e-mail virus scanners can be tricked into passing an EICAR
test file if the following conditions are met:
- the EICAR file is encoded in Base64 including characters not in the
standard alphabet (e.g. whitespaces) and
- the part containing the EICAR file is nested within one or several
levels of multipart/mixed content.
Details and PoC can be found at:
http://www.quantenblog.net/security/virus-scanner-bypass
Vulnerable products:
- BitDefender Mail Protection for SMB 2.0
- ClamAV 0.88.6
- F-Prot Antivirus for Linux x86 Mail Servers 4.6.6
- Kaspersky Anti-Virus for Linux Mail Server 5.5.10
Not recognizing the EICAR file, but aborting the scan:
- F-Secure Anti-Virus for Linux Gateways 4.65
Not vulnerable:
- avast! for Linux/Unix Servers 2.0.0