Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Testing Gmail’s Anti-Virus

Patrick Lee

Google launched Gmail in 1st April 2004. Twenty-one months later it is still in beta version. The developers of Gmail keep improving the functionalities of this fast emerging free email service. One of the latest features is virus scanning. Google does not announce which anti-virus scanning engine(s) that Gmail is using, but there were rumours.

The experiments reported here test the circumstances in which a virus will be detected and blocked by the Google Anti-Virus. One and only one “sample” was used: the EICAR standard anti-virus test file. The test file is suitable for this test because all anti-virus products will detect it in the same way that they detect a virus, but it is not a virus or malicious in any way. Thus, it will reveal when a virus would be detected, or, conversely, missed, but, very importantly, there will be no risk of accidentally starting an outbreak. Obviously, the test file cannot be used to check the detection capabilities of virus scanners, such a test would involve using a large number of different live virus samples, and it would be extremely irresponsible to perform such a test outside a strictly controlled environment; doubly so on a working public service.

Test 1 – Plain text EICAR message

Using the Gmail compose mail interface, a line of EICAR test message was composed as the content of email.

The purpose of it is to see whether the virus scanning engine will scan all contents of the email or solely the attachments. The following image shows the result.

Apparently the engine does not scan the message body.

Test 2 – EICAR plain text file attachment

Gmail had already blocked any file attachments with executable file extensions before the introduction of the virus scanning feature. Therefore a plain text file “eicar.txt” containing a line of EICAR message was produced. It was then appended onto the email as a file attachment.

A few seconds later, because of the modifications on the message, the email had been saved as a drafted message automatically.

Upon trying to send email manually, the following alert dialogue popped up

The system did not tell you what was happening. The same response was received using Mozilla Firefox. Probably the virus scanning engine detected the file attachment as a malware, even though it was not in an executable file extension.

Test 3 – Incoming Plain text EICAR message

This test was similar to test 1, but on the other way round. An incoming message containing the EICAR text string was sent and it did not get blocked by the virus scanning engine.

Test 4 – Drafted message with EICAR file

From test 2 we can see that a message could be saved automatically as a drafted message once it had been modified. The drafted message would then be saved in the drafted message folder, namely the “Drafts” tab.

It was surprising that the EICAR file could be downloaded. Consider the following scenario: Machine A has been infected and the user is unaware about it. The user tries to send an infected file using Gmail (of course presumably the user does not know the file is infected). Gmail responses with the dialogue found in test 2. The user thinks that it might be the problem of Machine A. “Luckily” the whole message has been auto-saved in the “Drafts” tab, the user uses another computer Machine B and try to send the mail again (which will not work), or even download and execute the infected file.

The above scenario is not uncommon. Because of the gigantic storage of Gmail (more than 2.5GB total file size limit per user account), some users misuse it as a medium of mobile file storage by sending files to their own Gmail accounts. Malware could be transferred in such way if the drafted message folder has not been scanned.

Test 5 – Zipped EICAR file

The EICAR file was zipped and was tried to be sent. Gmail prohibited the sending action by the same dialogue from test 2. Unfortunately the message was auto-saved as a drafted message.

Test 6 – Encrypted zipped EICAR file

This time the EICAR text file was zipped with password encryption.

The email could be sent successfully.

Test 7 – Control Experiment

This test acted as a control experiment. An arbitrary text file named “fubar.txt” (with the text string “fubar” inside the file) is attached to the email.

Of course the email was sent and received successfully.

Conclusion:

We did not test the detection strength of the anti-virus engine on Gmail, the responses and behaviour of Gmail are similar to any ordinary mail gateways with anti-virus protection, for example, encrypted attachments are not scanned.

The responses presented to users did not always clearly indicate the problem: there is room for improvement in this area.

The behaviour of Gmail with drafted messages is a matter of concern: draft messages with infected attachments are saved and can be retrieved later, quite possibly on a different computer. Gmail can therefore help to spread viruses. The fact that some users make use of Google as a mobile file store means that there is a real threat here. The developers of Gmail should ensure that the drafted messages are also scanned.


Gallery

Test 1 – Plain text EICAR messageTest 1 – Plain text EICAR message hi-res
Test 1 resultTest 1 result hi-res
Test 2 – EICAR plain text file attachmentTest 2 – EICAR plain text file attachment hi-res
Test 2 Alert dialogTest 2 Alert dialog hi-res
Test 3 – Incoming Plain text EICAR messageTest 3 – Incoming Plain text EICAR message hi-res
Test 4 – Drafted message with EICAR fileTest 4 – Drafted message with EICAR file hi-res
Test 5 – Zipped EICAR fileTest 5 – Zipped EICAR file hi-res
Test 6 – Encrypted zipped EICAR fileTest 6 – Encrypted zipped EICAR file hi-res
Test 6 result, Test 6 result, "virus" transmitted. hi-res
Test 7 – Control ExperimentTest 7 – Control Experiment hi-res
Test 7 – Control Experiment resultTest 7 – Control Experiment result hi-res