EICAR test file

Last updated April 25, 2024

The EICAR Anti-Virus Test File^[1] or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO) to test the response of computer antivirus (AV) programs.^[2] Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.^[3]

Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in more or less the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. Neither the way in which the file is detected nor the wording with which it is flagged are standardized, and may differ from the way in which real malware is flagged, but should prevent it from executing as long as it meets the strict specification set by European Institute for Computer Antivirus Research.^[4]

The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. Many of the AMTSO Feature Settings Checks^[5] are based on the EICAR test string.^[5]

Design

The file is a text file of between 68 and 128 bytes ^[6] that is a legitimate .com executable file (plain x86 machine code) that can be run by MS-DOS, some work-alikes, and its successors OS/2 and Windows (except for 64-bit due to 16-bit limitations). The EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" when executed and then will stop. The test string was written by noted anti-virus researchers Padgett Peterson and Paul Ducklin and engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard.^[7] It makes use of self-modifying code to work around technical issues that this constraint imposes on the execution of the test string.^[8]

The EICAR test string^[9] reads^[10]

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The third character is the capital letter 'O', not the digit zero.

The string's hash values (68 bytes without any trailing newline character) are as follows:

Hash type	Value
CRC32	6851cf3c
MD5	44d88612fea8a8f36de82e1278abb02f
SHA1	3395856ce81f2b7382dee72602f798b642f14140
SHA224	b42ec8b47deb2dc75edebd01132d63f8e8d4cd08e5d26d8bd366bdc5
SHA256	275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
SHA384	038f2e50e33dacef50d7e503b45c3525fcdbe89a823f9c4417d7c13e8e96a53dd6bd6d7fcc91189c5cda7253f4455106
SHA512	cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Adoption

According to EICAR's specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result antiviruses are not expected to raise an alarm on some other document containing the test string.^[11] The test file can still be used for some malicious purposes, exploiting the reaction from the antivirus software:

A race condition involving symlinks can cause antiviruses to delete themselves.^[12]
A QR-encoded EICAR test file crashes some CCTV systems.^[13]^{[ failed verification ]}

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

The European Institute for Computer Antivirus Research (EICAR) was founded in 1991 as an organization aiming to further antivirus research and improving development of antivirus software. Recently EICAR has furthered its scope to include the research of malicious software (malware) other than computer viruses and extended work on other information security topics like content security, Wireless LAN security, RFID and information security awareness. EICAR also organizes international security conferences most years, as well as a number of working groups or 'task forces'.

ClamAV (antivirus) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses. It was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, macOS, OpenVMS, OSF (Tru64), Solaris and Haiku. As of version 0.97.5, ClamAV builds and runs on Microsoft Windows. Both ClamAV and its updates are made available free of charge. One of its main uses is on mail servers as a server-side email virus scanner.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

ClamWin Free Antivirus is a free and open-source antivirus tool for Windows. It provides a graphical user interface to the Clam AntiVirus engine.

Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.

The GTUBE is a 68-byte test string used to test anti-spam systems, in particular those based on SpamAssassin. In SpamAssassin, it carries an anti-spam score of 1000 by default, which would be sufficient to trigger any installation.

CARO is an organization that was established in 1990 to research and study malware.

Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Malwarebytes is anti-malware software for Microsoft Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. This is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

Trend Micro Internet Security is an antivirus and online security program developed by Trend Micro for the consumer market. According to NSS Lab comparative analysis of software products for this market in 2014, Trend Micro Internet Security was fastest in responding to new internet threats.

Eddy Willems, is a Belgian computer security expert and author of security blogs and books, active in international computer security organizations and as a speaker at information security-related events.

ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.

Igor Muttik is a computer security expert, researcher and inventor.

References

↑ "Is Your Antivirus Working?". PCMAG. Retrieved 17 April 2017.
↑ Hay, Richard (12 September 2016). "How To: Test the SmartScreen Filter and Windows Defender Detection Scenarios". IT Pro Today. Retrieved 3 July 2019.
↑ Hess, Ken. "360 Total Security Anti-virus first impressions: Refreshingly subtle but thorough | ZDNet". ZDNet. Retrieved 17 April 2017.
↑ "The Use and Misuse of Test Files in Anti-Malware Testing" (PDF). AMTSO. 24 February 2012. Retrieved 3 July 2019.
1 2 "AMTSO Security Features Check Tools". AMTSO.
↑ Willems, Eddy (June 2003). "The Winds of Change: Updates to the EICAR Test File" (PDF). Virus Bulletin .
↑ Willems, Eddy. "EICAR's Test File History" (PDF). Eicar – European Expert Group for IT–Security. Archived from the original (PDF) on 16 December 2015. Retrieved 9 May 2020.
↑ "Anatomy of the EICAR Antivirus Test File". NinTechNet's updates and security announcements. 26 August 2021.
↑ "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" . Retrieved 21 July 2019.
↑ "Virus Profile: EICAR test file". McAfee . Archived from the original on 5 February 2009. Retrieved 9 May 2020.
↑ "Download Anti Malware Testfile – Eicar" (in German). Archived from the original on 28 April 2022. Retrieved 22 September 2020.
↑ "Exploiting (Almost) Every Antivirus Software – RACK911 Labs".
↑ "EICAR test QR".

External links

Official website (also known as the European Expert Group for IT-Security)
An Examination of the EICAR's Standard A-V Test Program Assembly-language analysis of the EICAR test file
VirusTotal Antivirus results from scanning the EICAR file
"The Use and Misuse of Test Files in Anti-Malware Testing". Anti-Malware Testing Standards Organization. Archived from the original on 16 August 2017.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Is Your Antivirus Working?". PCMAG. Retrieved 17 April 2017.

[2] Hay, Richard (12 September 2016). "How To: Test the SmartScreen Filter and Windows Defender Detection Scenarios". IT Pro Today. Retrieved 3 July 2019.

[3] Hess, Ken. "360 Total Security Anti-virus first impressions: Refreshingly subtle but thorough | ZDNet". ZDNet. Retrieved 17 April 2017.

[4] "The Use and Misuse of Test Files in Anti-Malware Testing" (PDF). AMTSO. 24 February 2012. Retrieved 3 July 2019.

[auto-5] 1 2 "AMTSO Security Features Check Tools". AMTSO.

[6] Willems, Eddy (June 2003). "The Winds of Change: Updates to the EICAR Test File" (PDF). Virus Bulletin .

[7] Willems, Eddy. "EICAR's Test File History" (PDF). Eicar – European Expert Group for IT–Security. Archived from the original (PDF) on 16 December 2015. Retrieved 9 May 2020.

[8] "Anatomy of the EICAR Antivirus Test File". NinTechNet's updates and security announcements. 26 August 2021.

[9] "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" . Retrieved 21 July 2019.

[10] "Virus Profile: EICAR test file". McAfee . Archived from the original on 5 February 2009. Retrieved 9 May 2020.

[11] "Download Anti Malware Testfile – Eicar" (in German). Archived from the original on 28 April 2022. Retrieved 22 September 2020.

[12] "Exploiting (Almost) Every Antivirus Software – RACK911 Labs".

[13] "EICAR test QR".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Hacktivism Insecure direct object reference Keystroke loggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Mobile secure gateway Runtime application self-protection Site isolation

v t e Standard test items
Pangram Reference implementation Sanity check Standard test image
Artificial intelligence	Chinese room Turing test
Television (test card)	SMPTE color bars EBU colour bars Indian-head test pattern EIA 1956 resolution chart BBC Test Card A, B, C, D, E, F, G, H, J, W, X ETP-1 Philips circle pattern (PM 5538, PM 5540, PM 5544, PM 5644) Snell & Wilcox SW2/SW4 Telefunken FuBK TVE test card UEIT
Computer languages	"Hello, World!" program Quine Trabb Pardo–Knuth algorithm Man or boy test Just another Perl hacker
Data compression	Calgary corpus Canterbury corpus Silesia corpus enwik8, enwik9
3D computer graphics	Cornell box Stanford bunny Stanford dragon Utah teapot List
Machine learning	ImageNet MNIST database List
Typography (filler text)	Etaoin shrdlu Hamburgevons Lorem ipsum The quick brown fox jumps over the lazy dog
Other	3DBenchy Acid 1 2 3 "Bad Apple!!" EICAR test file functions for optimization GTUBE Harvard sentences Lenna "The North Wind and the Sun" "Tom's Diner" SMPTE universal leader EURion constellation Shakedown Webdriver Torso 1951 USAF resolution test chart