Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - The EICAR Test File InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The EICAR Test File

Published: 2015-06-28
Last Updated: 2015-06-28 15:03:39 UTC
by Didier Stevens (Version: 1)
7 comment(s)

I'm sure most of you are familiar with the EICAR (European Institute for Computer Antivirus Research) test file. Your anti-virus application should detect the EICAR test file the same way it detects malicious files. But it is a test file, so of course, the EICAR file is not malicious.

If you have doubts that an anti-virus application is working correctly, you use the EICAR test file. If the file is not detected, there is a problem.

If you have doubts that anti-virus alerts are properly delivered to your SIEM, you use the EICAR test file.

There are many examples where the EICAR test file comes in handy.

But using the EICAR test file has become more difficult over the years, because there are more and more security applications and devices that detect it. For example, downloading the EICAR test file in a corporate environment will often fail, because the anti-virus on your proxy will detect and block it.

That's why I decided many years ago to create a program that writes the EICAR test file to disk when it is executed. The anti-virus program should not detect the EICAR test string inside my program (per the EICAR test file convention), but they should detect it when it's written to disk. My program, EICARgen, worked fine for many years, but this has changed since a couple of years. Now many anti-virus programs detect EICARgen as a dropper (malware that writes its payload to disk).

I developed a new version: now when EICARgen is executed, nothing happens. It will only write the EICAR test file to disk when you pass it the proper argument: EICARgen write.

And now I come to the point of this diary entry. This new version of EICARgen is not only able to write the EICAR test file to disk, but also a couple of container files that contain the EICAR test file: a ZIP file, a PDF file and an Excel file. This is useful to test the settings of your anti-virus. For example, if your anti-virus is configured to scan the content of ZIP files, then you can use EICARgen to test this: EICARgen.exe zip eicar.zip.

I also have a video of EICARgen in action.

Please write a comment if you have other examples of file formats that you use when testing your anti-virus. Or if you have an idea for a file format to add to EICARgen.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: antivirus EICAR
7 comment(s)
Diary Archives