The EICAR Test File
I'm sure most of you are familiar with the EICAR (European Institute for Computer Antivirus Research) test file. Your anti-virus application should detect the EICAR test file the same way it detects malicious files. But it is a test file, so of course, the EICAR file is not malicious.
If you have doubts that an anti-virus application is working correctly, you use the EICAR test file. If the file is not detected, there is a problem.
If you have doubts that anti-virus alerts are properly delivered to your SIEM, you use the EICAR test file.
There are many examples where the EICAR test file comes in handy.
But using the EICAR test file has become more difficult over the years, because there are more and more security applications and devices that detect it. For example, downloading the EICAR test file in a corporate environment will often fail, because the anti-virus on your proxy will detect and block it.
That's why I decided many years ago to create a program that writes the EICAR test file to disk when it is executed. The anti-virus program should not detect the EICAR test string inside my program (per the EICAR test file convention), but they should detect it when it's written to disk. My program, EICARgen, worked fine for many years, but this has changed since a couple of years. Now many anti-virus programs detect EICARgen as a dropper (malware that writes its payload to disk).
I developed a new version: now when EICARgen is executed, nothing happens. It will only write the EICAR test file to disk when you pass it the proper argument: EICARgen write.
And now I come to the point of this diary entry. This new version of EICARgen is not only able to write the EICAR test file to disk, but also a couple of container files that contain the EICAR test file: a ZIP file, a PDF file and an Excel file. This is useful to test the settings of your anti-virus. For example, if your anti-virus is configured to scan the content of ZIP files, then you can use EICARgen to test this: EICARgen.exe zip eicar.zip.
I also have a video of EICARgen in action.
Please write a comment if you have other examples of file formats that you use when testing your anti-virus. Or if you have an idea for a file format to add to EICARgen.
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
Comments
I think all file types able to contain malicious code should be included in testing. Simply changing the extension is only a basic test though. Placing the test string into the proper file format is the best test and challenging to cover unique possibilities. All archival formats should be a given such as .tar .7z .gzip etc.
What about non-text formats like bitmaps, jpeg, fonts, or tiff for example? Many vulnerabilities have been uncovered in various file parsers so this would represent some real world possibilities needing detection.
Question is how do you embed the EICAR test string in a binary format to simulate the signature of a buffer overflow exploit?
Anonymous
Jun 28th 2015
9 years ago
Anonymous
Jun 28th 2015
9 years ago
Anonymous
Jun 29th 2015
9 years ago
Also, I wonder what the impact is of the fact that eicar.com is a 16-bit executable, which is not supported on 64-bit systems.
It would also be nice to have a digitally signed (Authenticode) version of EICAR or something similar, as virus scanners may be configured to ignore files with a valid digital signature.
Anonymous
Jun 29th 2015
9 years ago
We also have an old Windows 95 computer connected to a proprietary system that is not on the network at all.
Anonymous
Jun 29th 2015
9 years ago
Just create the registry entry
[HKEY_CLASSES_ROOT\.com\ShellNew]
"Data"=hex:58,35,4f,21,50,25,40,41,50,5b,34,5c,50,5a,58,35,34,28,50,5e,29,37,43,43,29,37,7d,24,45,49,43,41,52,2d,53,54,41,4e,44,41,52,44,2d,41,4e,54,49,56,49,52,55,53,2d,54,45,53,54,2d,46,49,4c,45,21,24,48,2b,48,2a
then use right-click New->MS-DOS application and let Windows Explorer create it.
For other file formats create the appropriate "ShellNew" key.
Another possibility (not only on Windows) is to use a web browser:
data:application/octet-stream;base64,WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=
Anonymous
Jul 2nd 2015
9 years ago
Anonymous
Jul 8th 2015
9 years ago