I personally use modified versions of amavisd-new and even if it's not vulnerable to this kind of trick, it still depends on the file utility to guess mime-types which sucks.

Anyway, i went on and decided to use create 2 mails and then submit them to virustotal:

  • one with a valid base64 encoding of EICAR.COM testfile:
AntiVir 7.2.0.49        12.07.2006      no virus found
Authentium      4.93.8  12.07.2006      EICAR_Test_File
Avast   4.7.892.0       12.07.2006      EICAR Test-NOT virus!!
AVG     386     12.07.2006      EICAR_Test (+2)
BitDefender     7.2     12.07.2006      no virus found
CAT-QuickHeal   8.00    12.06.2006      EICAR Test File
ClamAV  devel-20060426  12.07.2006      Eicar-Test-Signature
DrWeb   4.33    12.07.2006      EICAR Test File (NOT a Virus!)
eSafe   7.0.14.0        12.07.2006      EICAR Test File
eTrust-InoculateIT      23.73.79        12.07.2006      EICAR_test_file

  • one using Weimer's perl script:
AntiVir 7.2.0.49        12.07.2006      no virus found
Authentium      4.93.8  12.07.2006      New or modified variant of Trivial <---
Avast   4.7.892.0       12.07.2006      EICAR Test-NOT virus!!     
AVG     386     12.07.2006      no virus found <---
BitDefender     7.2     12.07.2006      no virus found
CAT-QuickHeal   8.00    12.06.2006      EICAR Test File
ClamAV  devel-20060426  12.07.2006      no virus found  <---
DrWeb   4.33    12.07.2006      no virus found  <---
eSafe   7.0.14.0        12.07.2006      no virus found <---
eTrust-InoculateIT      23.73.79        12.07.2006      EICAR_test_file

(for some reason, virustotal stopped scanning those files before the and of the analysis)

Not looking good, eh?

Anyway even though this trick will fool most virus scanners, your client still needs to be able to decode it, which isn't always possible, but outlook didn't mind at all and opened my second mail while mcafee VirusScan Enterprise 8.0.0 stayed quiet.

From Quantenblog