Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
EICAR test file
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|Computer file to test antivirus software}} {{use dmy dates |date=July 2022}} The '''EICAR Anti-Virus Test File'''<ref>{{Cite news|url=http://securitywatch.pcmag.com/security-software/312184-is-your-antivirus-working|title=Is Your Antivirus Working?|work=PCMAG|access-date=2017-04-17|language=en}}</ref> or '''EICAR test file''' is a computer file that was developed by the [[EICAR (Research institute)|European Institute for Computer Antivirus Research]] (EICAR) and [[CARO|Computer Antivirus Research Organization]] to test the response of computer [[antivirus]] programs.<ref>{{cite web |url=https://www.itprotoday.com/windows-server/how-test-smartscreen-filter-and-windows-defender-detection-scenarios |title=How To: Test the SmartScreen Filter and Windows Defender Detection Scenarios |last=Hay |first=Richard |publisher=IT Pro Today |date=2016-09-12 |access-date=2019-07-03}}</ref> Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real [[computer virus]].<ref>{{Cite news|url=https://www.zdnet.com/article/360-total-security-anti-virus-first-impressions/|title=360 Total Security Anti-virus first impressions: Refreshingly subtle but thorough|last=Hess|first=Ken|work=ZDNet|access-date=2017-04-17|language=en}}</ref> Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in more or less the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. Neither the way in which the file is detected nor the wording with which it is flagged are standardized, and may differ from the way in which real malware is flagged, but should prevent it from executing as long as it meets the strict specification set by EICAR.<ref>{{cite web |url=https://www.amtso.org/wp-content/uploads/2018/05/AMTSO-Use-and-Misuse-of-Test-Files-in-Anti-Malware-Testing-FINAL.pdf |title=The Use and Misuse of Test Files in Anti-Malware Testing |date=2012-02-24 |publisher=[[Anti-Malware Testing Standards Organization|AMTSO]] |access-date=2019-07-03}}</ref> The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be [[Data compression|compressed]] or [[archive]]d, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. Many of the [[AMTSO]] Feature Settings Checks<ref name="auto">{{Cite web|url=https://www.amtso.org/security-features-check/|title=AMTSO Security Features Check Tools|website=AMTSO}}</ref> are based on the EICAR test string.<ref name="auto"/> == Design == The file is a [[text file]] of between 68 and 128 [[byte]]s<ref>{{cite web |last1=Willems |first1=Eddy |title=The Winds of Change: Updates to the EICAR Test File |url=https://www.virusbulletin.com/uploads/pdf/magazine/2003/200306.pdf |website=[[Virus Bulletin]] |date=June 2003}}</ref> that is a legitimate [[COM file|.com]] [[executable]] file (plain [[x86]] [[machine code]]) that can be run by [[MS-DOS]], some work-alikes, and its successors [[OS/2]] and [[Windows]] (except for 64-bit due to 16-bit limitations). The EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" when executed and then will stop. The test string was written by anti-virus researchers [[Padgett Peterson]] and Paul Ducklin and [[Alphanumeric shellcode|engineered]] to consist of [[ASCII]] human-readable characters, easily created using a standard computer keyboard.<ref>{{cite web |last1=Willems |first1=Eddy |title=EICAR's Test File History |url=https://www.eicar.org/files/01_-_eicar_test_file_history.pdf |website=Eicar {{ndash}} European Expert Group for IT{{ndash}}Security |archive-url=https://web.archive.org/web/20151216140407/https://www.eicar.org/files/01_-_eicar_test_file_history.pdf |access-date=9 May 2020|archive-date=2015-12-16 }}</ref> It makes use of [[self-modifying code]] to work around technical issues that this constraint imposes on the execution of the test string.<ref>{{cite web |title=Anatomy of the EICAR Antivirus Test File. |url=https://blog.nintechnet.com/anatomy-of-the-eicar-antivirus-test-file/ |website=NinTechNet's updates and security announcements.|date=26 August 2021 }}</ref> The EICAR test string<ref>{{Cite web|url=https://secure.eicar.org/eicar.com.txt|title=EICAR-STANDARD-ANTIVIRUS-TEST-FILE |access-date=July 21, 2019 }}</ref> reads<ref>{{cite web |title=Virus Profile: EICAR test file |url=https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=98616 |website=[[McAfee]] |access-date=9 May 2020 |archive-url=https://web.archive.org/web/20090205210908/https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=98616 |archive-date=2009-02-05 |url-status=dead }}</ref> {{EICAR test file}} The third character is the capital 'O' in the [[Latin alphabet]], not the digit zero. == Adoption == According to EICAR's specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string.<ref>{{cite web |title=Download Anti Malware Testfile – Eicar |url=https://www.eicar.org/?page_id=3950 |language=de-DE |access-date=22 September 2020 |archive-date=28 April 2022 |archive-url=https://web.archive.org/web/20220428213743/https://www.eicar.org/?page_id=3950 |url-status=dead }}</ref> The test file can still be used for some malicious purposes, exploiting the reaction from the antivirus software. For example, a race condition involving [[symlink]]s can cause antiviruses to delete themselves.<ref>{{cite web |title=Exploiting (Almost) Every Antivirus Software – RACK911 Labs |url=https://rack911labs.ca/research/exploiting-almost-every-antivirus-software/}}</ref> == See also == * [[GTUBE]] – a similar test for unsolicited bulk email ([[email spam]]) == References == {{reflist}} == External links == * {{official website|http://www.eicar.org }} (also known as the European Expert Group for IT-Security) * [http://thestarman.pcministry.com/asm/eicar/eicarcom.html An Examination of the EICAR's Standard A-V Test Program] Assembly-language analysis of the EICAR test file * [https://www.virustotal.com/en/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1425909746/ VirusTotal] Antivirus results from scanning the EICAR file * {{cite web |url=http://amtso.org/download/amtso-use-and-misuse-of-test-files/?wpdmdl=1132 |url-status=dead | archive-url=https://web.archive.org/web/20170816151919/http://amtso.org/download/amtso-use-and-misuse-of-test-files/?wpdmdl=1132 |archive-date=August 16, 2017 | title=The Use and Misuse of Test Files in Anti-Malware Testing | publisher=Anti-Malware Testing Standards Organization }} {{Information security}} {{Standard test item}} [[Category:Computer security software]] [[Category:Test items]] [[pl:Europejski Instytut Badań Wirusów Komputerowych#Plik testowy EICAR]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite news
(
edit
)
Template:Cite web
(
edit
)
Template:EICAR test file
(
edit
)
Template:Information security
(
edit
)
Template:Official website
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)
Template:Standard test item
(
edit
)
Template:Use dmy dates
(
edit
)