EICAR test file

The EICAR Anti-Virus Test File[1] or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs.[2] Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.[3]

Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in more or less the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. Neither the way in which the file is detected nor the wording with which it is flagged are standardized, and may differ from the way in which real malware is flagged, but should prevent it from executing as long as it meets the strict specification set by European Institute for Computer Antivirus Research.[4]

The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. Many of the AMTSO Feature Settings Checks[5] are based on the EICAR test string.[5]

DesignEdit

The file is a text file of between 68 and 128 bytes[6] that is a legitimate .com executable file (plain x86 machine code) that can be run by MS-DOS, some work-alikes, and its successors OS/2 and Windows (except for 64-bit due to 16-bit limitations). When executed, the EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and then will stop. The test string was written by noted anti-virus researchers Padgett Peterson and Paul Ducklin and engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard.[7] It makes use of self-modifying code to work around technical issues that this constraint imposes on the execution of the test string.[8]

The EICAR test string[9] reads:[10]

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

NOTE: The third character is the capital letter 'O', not the digit zero.

The string's hash values (68 bytes without any trailing newline character) are as follows:

Hash type Value
CRC32 6851cf3c
MD5 44d88612fea8a8f36de82e1278abb02f
SHA1 3395856ce81f2b7382dee72602f798b642f14140
SHA224 b42ec8b47deb2dc75edebd01132d63f8e8d4cd08e5d26d8bd366bdc5
SHA256 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
SHA384 038f2e50e33dacef50d7e503b45c3525fcdbe89a823f9c4417d7c13e8e96a53dd6bd6d7fcc91189c5cda7253f4455106
SHA512 cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

AdoptionEdit

The developers of one anti-virus software, Malwarebytes, have said that they did not add the EICAR test file to their database, because "adding fake malware and test files like EICAR to the database takes time away from malware research, and proves nothing in the long run."[11][12]

According to EICAR's specification, the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string.[13] The test file can still be used for some malicious purposes, exploiting the reaction from the antivirus software:

  • A race condition involving symlinks can cause antiviruses to delete themselves.[14]
  • A QR-encoded EICAR test file crashes some CCTV systems.[15]

See alsoEdit

ReferencesEdit

  1. ^ "Is Your Antivirus Working?". PCMAG. Retrieved 2017-04-17.
  2. ^ Hay, Richard (2016-09-12). "How To: Test the SmartScreen Filter and Windows Defender Detection Scenarios". IT Pro Today. Retrieved 2019-07-03.
  3. ^ Hess, Ken. "360 Total Security Anti-virus first impressions: Refreshingly subtle but thorough | ZDNet". ZDNet. Retrieved 2017-04-17.
  4. ^ "The Use and Misuse of Test Files in Anti-Malware Testing" (PDF). AMTSO. 2012-02-24. Retrieved 2019-07-03.
  5. ^ a b "AMTSO Security Features Check Tools". AMTSO.
  6. ^ Willems, Eddy (June 2003). "The Winds of Change: Updates to the EICAR Test File" (PDF). Virus Bulletin.
  7. ^ Willems, Eddy. "EICAR's Test File History" (PDF). Eicar – European Expert Group for IT–Security. Retrieved 9 May 2020.
  8. ^ "Anatomy of the EICAR Antivirus Test File". NinTechNet's updates and security announcements.
  9. ^ "EICAR-STANDARD-ANTIVIRUS-TEST-FILE". Retrieved July 21, 2019.
  10. ^ "Virus Profile: EICAR test file". McAfee. Archived from the original on 2009-02-05. Retrieved 9 May 2020.CS1 maint: unfit url (link)
  11. ^ "Malwarebytes can't detect EICAR Test Virus". Malwarebytes Forums.
  12. ^ "Malwarebytes 3 - Frequently Asked Questions". Malwarebytes Forums.
  13. ^ "Download Anti Malware Testfile – Eicar" (in German).
  14. ^ "Exploiting (Almost) Every Antivirus Software – RACK911 Labs".
  15. ^ "EICAR test QR".

External linksEdit