EICAR test file

Last updated November 22, 2024

The EICAR Anti-Virus Test File^[1] or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO) to test the response of computer antivirus (AV) programs.^[2] Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.^[3]

Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in more or less the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. Neither the way in which the file is detected nor the wording with which it is flagged are standardized, and may differ from the way in which real malware is flagged, but should prevent it from executing as long as it meets the strict specification set by EICAR.^[4]

The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. Many of the AMTSO Feature Settings Checks^[5] are based on the EICAR test string.^[5]

Design

The file is a text file of between 68 and 128 bytes ^[6] that is a legitimate .com executable file (plain x86 machine code) that can be run by MS-DOS, some work-alikes, and its successors OS/2 and Windows (except for 64-bit due to 16-bit limitations). The EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" when executed and then will stop. The test string was written by noted anti-virus researchers Padgett Peterson and Paul Ducklin and engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard.^[7] It makes use of self-modifying code to work around technical issues that this constraint imposes on the execution of the test string.^[8]

The EICAR test string^[9] reads^[10]

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The third character is the capital letter 'O', not the digit zero.

Adoption

According to EICAR's specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string.^[11] The test file can still be used for some malicious purposes, exploiting the reaction from the antivirus software. For example, a race condition involving symlinks can cause antiviruses to delete themselves.^[12]

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application. Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus' behavior can still be difficult to detect.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

The European Institute for Computer Antivirus Research (EICAR) was founded in 1991 as an organization aiming to further antivirus research and improving development of antivirus software. Recently EICAR has furthered its scope to include the research of malicious software (malware) other than computer viruses and extended work on other information security topics like content security, Wireless LAN security, RFID and information security awareness. EICAR also organizes international security conferences most years, as well as a number of working groups or 'task forces'.

ClamAV (antivirus) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses. It was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, macOS, OpenVMS, OSF (Tru64), Solaris and Haiku. As of version 0.97.5, ClamAV builds and runs on Microsoft Windows. Both ClamAV and its updates are made available free of charge. One of its main uses is on mail servers as a server-side email virus scanner.

ClamWin Free Antivirus is a free and open-source antivirus tool for Windows. It provides a graphical user interface to the Clam AntiVirus engine.

Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.

CARO is an organization that was established in 1990 to research and study malware.

In computing, a zip bomb, also known as a decompression bomb or zip of death (ZOD), is a malicious archive file designed to crash or render useless the program or system reading it. The older the system or program, the less likely it is that the zip bomb will be detected. It is often employed to disable antivirus software, in order to create an opening for more traditional malware.

Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

Kaspersky Internet Security is a internet security suite developed by Kaspersky Lab compatible with Microsoft Windows and Mac OS X. Kaspersky Internet Security offers protection from malware, as well as email spam, phishing and hacking attempts, and data leaks. Kaspersky Lab Diagnostics results are distributed to relevant developers through the MIT License.

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Malwarebytes is anti-malware software for Microsoft Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. This is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

Trend Micro Internet Security is an antivirus and online security program developed by Trend Micro for the consumer market. According to NSS Lab comparative analysis of software products for this market in 2014, Trend Micro Internet Security was fastest in responding to new internet threats, but as of June 2024 based on the chat support there is no known mechanism as with Microsoft Defender Antivirus to submit false positives like "Incorrectly detected as malware/malicious" or "Incorrectly detected as PUA " which may point to cutting corners and be the cause of application mislabeling e.g. as ransomware, while the mechanism for detecting real threats is not specified.

Eddy Willems, is a Belgian computer security expert and author of security blogs and books, active in international computer security organizations and as a speaker at information security-related events.

Igor Muttik is a computer security expert, researcher and inventor.

References

↑ "Is Your Antivirus Working?". PCMAG. Retrieved 17 April 2017.
↑ Hay, Richard (12 September 2016). "How To: Test the SmartScreen Filter and Windows Defender Detection Scenarios". IT Pro Today. Retrieved 3 July 2019.
↑ Hess, Ken. "360 Total Security Anti-virus first impressions: Refreshingly subtle but thorough". ZDNet. Retrieved 17 April 2017.
↑ "The Use and Misuse of Test Files in Anti-Malware Testing" (PDF). AMTSO. 24 February 2012. Retrieved 3 July 2019.
1 2 "AMTSO Security Features Check Tools". AMTSO.
↑ Willems, Eddy (June 2003). "The Winds of Change: Updates to the EICAR Test File" (PDF). Virus Bulletin .
↑ Willems, Eddy. "EICAR's Test File History" (PDF). Eicar – European Expert Group for IT–Security. Archived from the original (PDF) on 16 December 2015. Retrieved 9 May 2020.
↑ "Anatomy of the EICAR Antivirus Test File". NinTechNet's updates and security announcements. 26 August 2021.
↑ "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" . Retrieved 21 July 2019.
↑ "Virus Profile: EICAR test file". McAfee . Archived from the original on 5 February 2009. Retrieved 9 May 2020.
↑ "Download Anti Malware Testfile – Eicar" (in German). Archived from the original on 28 April 2022. Retrieved 22 September 2020.
↑ "Exploiting (Almost) Every Antivirus Software – RACK911 Labs".

External links

Official website (also known as the European Expert Group for IT-Security)
An Examination of the EICAR's Standard A-V Test Program Assembly-language analysis of the EICAR test file
VirusTotal Antivirus results from scanning the EICAR file
"The Use and Misuse of Test Files in Anti-Malware Testing". Anti-Malware Testing Standards Organization. Archived from the original on 16 August 2017.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Is Your Antivirus Working?". PCMAG. Retrieved 17 April 2017.

[2] Hay, Richard (12 September 2016). "How To: Test the SmartScreen Filter and Windows Defender Detection Scenarios". IT Pro Today. Retrieved 3 July 2019.

[3] Hess, Ken. "360 Total Security Anti-virus first impressions: Refreshingly subtle but thorough". ZDNet. Retrieved 17 April 2017.

[4] "The Use and Misuse of Test Files in Anti-Malware Testing" (PDF). AMTSO. 24 February 2012. Retrieved 3 July 2019.

[auto-5] 1 2 "AMTSO Security Features Check Tools". AMTSO.

[6] Willems, Eddy (June 2003). "The Winds of Change: Updates to the EICAR Test File" (PDF). Virus Bulletin .

[7] Willems, Eddy. "EICAR's Test File History" (PDF). Eicar – European Expert Group for IT–Security. Archived from the original (PDF) on 16 December 2015. Retrieved 9 May 2020.

[8] "Anatomy of the EICAR Antivirus Test File". NinTechNet's updates and security announcements. 26 August 2021.

[9] "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" . Retrieved 21 July 2019.

[10] "Virus Profile: EICAR test file". McAfee . Archived from the original on 5 February 2009. Retrieved 9 May 2020.

[11] "Download Anti Malware Testfile – Eicar" (in German). Archived from the original on 28 April 2022. Retrieved 22 September 2020.

[12] "Exploiting (Almost) Every Antivirus Software – RACK911 Labs".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation

v t e Standard test items
Pangram Reference implementation Sanity check Standard test image
Artificial intelligence	Chinese room Turing test
Television (test card)	SMPTE color bars EBU colour bars Indian-head test pattern EIA 1956 resolution chart BBC Test Card A, B, C, D, E, F, G, H, J, W, X ETP-1 Philips circle pattern (PM 5538, PM 5540, PM 5544, PM 5644) Snell & Wilcox SW2/SW4 Telefunken FuBK TVE test card UEIT
Computer languages	"Hello, World!" program Quine Trabb Pardo–Knuth algorithm Man or boy test Just another Perl hacker
Data compression	Calgary corpus Canterbury corpus Silesia corpus enwik8, enwik9
3D computer graphics	Cornell box Stanford bunny Stanford dragon Utah teapot List
Machine learning	ImageNet MNIST database List
Typography (filler text)	Etaoin shrdlu Hamburgevons Lorem ipsum The quick brown fox jumps over the lazy dog
Other	3DBenchy Acid 1 2 3 "Bad Apple!!" EICAR test file functions for optimization GTUBE Harvard sentences Lenna "The North Wind and the Sun" "Tom's Diner" SMPTE universal leader EURion constellation Shakedown Webdriver Torso 1951 USAF resolution test chart