Reading Time: ~4 min.
If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be wrong. Readers, if you haven’t yet met the EICAR test file, allow me to introduce you to it. If you have used the EICAR test file, let’s get a bit cozier with it.
If you ran this file through VirusTotal, 61 out of 62 antimalware scanners currently would detect the EICAR test file as if it were malicious. That’s because the EICAR file is actually a tool that was designed to help users verify their antimalware scanner is functioning properly. The EICAR test file is a harmless piece of code that most vendors have agreed to flag as if it was malicious. Essentially, it’s a false positive—by design—for your benefit. Some scanners detect it, some do not; neither outcome indicates that any scanner is better or worse than another.
If you have heard of EICAR, you may have seen it referred to as a “test virus,” but that’s inaccurate. Think of it more like the test button on a smoke detector in your home. The test button doesn’t simulate fire or smoke; it simply lets you know that the smoke detector is functional. The test button certainly doesn’t tell you anything about the quality of the smoke detector. Similarly, the EICAR test file does not simulate malware, it just causes a scanner to demonstrate how it would handle a threat it detected (assuming the vendor has chosen to recognize the file as malicious, that is.)
Using the EICAR Test File
Now that you know more about EICAR, let’s talk about why, how, and when you might want to use it.
- Curiosity. The first time I used the test file, it was purely out of curiosity. What if I zipped the file up or changed its extension from .com to .xyz, and so on. Because the file itself is harmless, I could simulate any number of scenarios without risk to my computer or my data.
- Smoke test.The intended purpose of the test file was always to verify that your scanner was properly installed and that the scan engine was functional. Any time you install a new antimalware product, you can give it a quick test with the EICAR file to make sure it is functioning as designed (if the vendor support the file, that is.)
- Forensics. Malware writers often try to disable a scanner as soon as their malicious code gains a foothold on a given computer. If you periodically test your scanner and, one day, it fails to detect the test file, that couldindicate of an infection. Keep in mind, it could also indicate that another layer of security blocked the file before it got to your scanner. The test itself is not conclusive and should only be considered as part of a bigger picture.
- Behavioral information.Between 1997 and 2004, I ensured that none of their software releases were infected. I used 11 different virus scanners on each of my test machines (don’t try this at home). The testing was not about the quality of the scanners, but rather how they’d react in different situations to help me make decisions and gain greater knowledge. For example, antivirus scanners have default configurations that I needed to test and potentially modify. Back then, not all scanners scanned all extension types by default. A directory with EICAR test files that each had different extensions would allow me to determine if my scanner’s default configuration for file types needed to be adjusted. Once I made modifications, I had to test those as well. There were a variety of tests I could run involving filenames with punctuation or foreign language characters, too. Basically, I could test virus handling without needing am actual virus.
Note: At the Virus Bulletin conference in 1999 I presented the paper, “Giving the EICAR Test File Some Teeth.” If you’re interested in the breadth of test scenarios I explored, you can read the paper on the Virus Bulletin website.
Where to Find EICAR
You’d think the easiest way to get your hands on this file would be to download it straight from www.eicar.org, except that your antimalware scanner might block the download. To get around that, you’d likely have to temporarily disable your web protection—WHICH I DO NOT RECOMMEND. Instead, I’ll show you how to create the file yourself.
Here are the step by step instructions.
- Open Notepad.
- Copy the following string and paste it into Notepad:
- Save the file and cross your fingers that your scanner doesn’t detect it on close.
Note: You could create the file in Microsoft® Word, but you’d have to save it as plain text. The test file must begin with the test string, and Word includes additional information in .doc and .docx files.
The file eicar.com, will run on older operating systems, but not on a 64-bit OS. When you run it on a compatible OS, the file will display this text.
You can change the display message to anything you like. In the following example, I’ve replaced the word EICAR with my name.
However, if you change it as I did above, it will no longer be a valid test file and should not be detected by your antimalware program.
At the 1999 Virus Bulletin conference, I asked researchers for EICAR-like test files to test script and macro detection. Although we still don’t have that, the Anti-Malware Testing Standards Organization (AMTSO) provides a set of security feature checks at www.amtso.org/security-features-check. Just be sure to remember that the security feature checks, like the EICAR test file, don’t indicate the quality of the product, but they can be used to ensure that certain features are functioning.
Questions? Comments? Let’s talk on the Webroot community forum.
The post EICAR – The Most Common False Positive in the World appeared first on Webroot Blog.