EICAR test file

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The EICAR Anti-Virus Test File[1] or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs.[2] Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.[3]

Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in more or less the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. Neither the way in which the file is detected nor the wording with which it is flagged are standardized, and may differ from the way in which real malware is flagged, but should prevent it from executing as long as it meets the strict specification set by European Institute for Computer Antivirus Research.[4]

The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. Many of the AMTSO Feature Settings Checks[5] are based on the EICAR test string.[6]

The developers of one anti-virus software, Malwarebytes, have said that they did not add the EICAR test file to their database, because "adding fake malware and test files like EICAR to the database takes time away from malware research, and proves nothing in the long run." [7]

Design[edit]

The file is a text file of between 68 and 128 bytes[8] that is a legitimate executable file called a COM file that can be run by MS-DOS, some work-alikes, and its successors OS/2 and Windows (except for 64-bit due to 16-bit limitations). When executed, the EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and then will stop. The test string was written by noted anti-virus researchers Padgett Peterson and Paul Ducklin and engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard. It makes use of self-modifying code to work around technical issues that this constraint imposes on the execution of the test string.

The EICAR test string[9] reads:[10]

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

NOTE: The third character is the capital letter 'O', not the digit zero.

Hash values

(Hashed with trailing newline character)

Hash type Value
CRC32 1dd02bdb
MD5 69630e4574ec6798239b091cda43dca0
SHA1 cf8bd9dfddff007f75adf4c2be48005cea317c62
SHA224 a2e3aa5b0d6b05643f99e619c2d16deef927d171861477696be5b4c0
SHA256 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267
SHA384 10cc0011d21012867900a17757c239025dac46589f8e08ef93916d773a1dcc6257b357e408112d0d09fc9d3401d25700
SHA512 5581f85b25f0d80fa84c69e7ca24d98344f5fbaec45b7707dccf139a8c065961391d6e762516ee1db3137c4d82eca7fbc67c348c37ea0d615bb88161cf3b3008

See also[edit]

External links[edit]

  • Official Site of the European Institute For Computer Antivirus Research (also known as the European Expert Group for IT-Security)
  • [1] Assembly-language analysis of the EICAR test file
  • [2] Antivirus results from scanning the EICAR file
  • "The Use and Misuse of Test Files in Anti-Malware Testing". Anti-Malware Testing Standards Organization. Archived from the original on August 16, 2017.

References[edit]