The EICAR Test File

Published: 2015-06-28
Last Updated: 2015-06-28 15:03:39 UTC
by Didier Stevens (Version: 1)
7 comment(s)

I'm sure most of you are familiar with the EICAR (European Institute for Computer Antivirus Research) test file. Your anti-virus application should detect the EICAR test file the same way it detects malicious files. But it is a test file, so of course, the EICAR file is not malicious.

If you have doubts that an anti-virus application is working correctly, you use the EICAR test file. If the file is not detected, there is a problem.

If you have doubts that anti-virus alerts are properly delivered to your SIEM, you use the EICAR test file.

There are many examples where the EICAR test file comes in handy.

But using the EICAR test file has become more difficult over the years, because there are more and more security applications and devices that detect it. For example, downloading the EICAR test file in a corporate environment will often fail, because the anti-virus on your proxy will detect and block it.

That's why I decided many years ago to create a program that writes the EICAR test file to disk when it is executed. The anti-virus program should not detect the EICAR test string inside my program (per the EICAR test file convention), but they should detect it when it's written to disk. My program, EICARgen, worked fine for many years, but this has changed since a couple of years. Now many anti-virus programs detect EICARgen as a dropper (malware that writes its payload to disk).

I developed a new version: now when EICARgen is executed, nothing happens. It will only write the EICAR test file to disk when you pass it the proper argument: EICARgen write.

And now I come to the point of this diary entry. This new version of EICARgen is not only able to write the EICAR test file to disk, but also a couple of container files that contain the EICAR test file: a ZIP file, a PDF file and an Excel file. This is useful to test the settings of your anti-virus. For example, if your anti-virus is configured to scan the content of ZIP files, then you can use EICARgen to test this: EICARgen.exe zip eicar.zip.

I also have a video of EICARgen in action.

Please write a comment if you have other examples of file formats that you use when testing your anti-virus. Or if you have an idea for a file format to add to EICARgen.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: antivirus EICAR
7 comment(s)

Comments

I also implemented the same in a "batch" command script file only 88 bytes itself. I did it for the same reason, AV zapped the test file on my workstation before I had the chance to copy it to the machine being tested.

I think all file types able to contain malicious code should be included in testing. Simply changing the extension is only a basic test though. Placing the test string into the proper file format is the best test and challenging to cover unique possibilities. All archival formats should be a given such as .tar .7z .gzip etc.

What about non-text formats like bitmaps, jpeg, fonts, or tiff for example? Many vulnerabilities have been uncovered in various file parsers so this would represent some real world possibilities needing detection.

Question is how do you embed the EICAR test string in a binary format to simulate the signature of a buffer overflow exploit?
I have also had my own version of the EICAR test program that I have been using for quite a while. It triggers alerts whenever it creates a file on disk, or creates files across network shares. It also creates the test string in RAM in a few different places, but interestingly none of the AV programmes I have tested it against have ever alerted in that situation. I have always presumed its because those AV programmes don't dynamically scan memory, but rather simply scan an executable when it is launched, and any files that are created.
The EICAR test string actually is a valid MS-DOS and Windows binary. It won't run on 64bit versions of windows, but on 32 bit windows or MS-DOS you can rename it to have a ".com" extension and run it. It will print ""EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". Anyhow, it is already is in binary form, neat, huh?
Interestingly, according to VirusTotal, not every virus scanner (51/54)detects eicar.com: https://www.virustotal.com/en/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1435567250/

Also, I wonder what the impact is of the fact that eicar.com is a 16-bit executable, which is not supported on 64-bit systems.

It would also be nice to have a digitally signed (Authenticode) version of EICAR or something similar, as virus scanners may be configured to ignore files with a valid digital signature.
We have a few Windows XP computers at another location that are on their own VLAN and do NOT have internet access via the Sonicwall. We've had request to get them online and they've been told "NO" unless they get updated to Windows 7 first.

We also have an old Windows 95 computer connected to a proprietary system that is not on the network at all.
You dont need to run a (dedicated) program to generate EICAR on Windows!
Just create the registry entry

[HKEY_CLASSES_ROOT\.com\ShellNew]
"Data"=hex:58,35,4f,21,50,25,40,41,50,5b,34,5c,50,5a,58,35,34,28,50,5e,29,37,43,43,29,37,7d,24,45,49,43,41,52,2d,53,54,41,4e,44,41,52,44,2d,41,4e,54,49,56,49,52,55,53,2d,54,45,53,54,2d,46,49,4c,45,21,24,48,2b,48,2a

then use right-click New->MS-DOS application and let Windows Explorer create it.
For other file formats create the appropriate "ShellNew" key.

Another possibility (not only on Windows) is to use a web browser:
data:application/octet-stream;base64,WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=
Don't put the EICAR string in your registry, there are AV programs that will detect it (because they don't follow the EICAR guidelines)!

Diary Archives