The EICAR Test File
I'm sure most of you are familiar with the EICAR (European Institute for Computer Antivirus Research) test file. Your anti-virus application should detect the EICAR test file the same way it detects malicious files. But it is a test file, so of course, the EICAR file is not malicious.
If you have doubts that an anti-virus application is working correctly, you use the EICAR test file. If the file is not detected, there is a problem.
If you have doubts that anti-virus alerts are properly delivered to your SIEM, you use the EICAR test file.
There are many examples where the EICAR test file comes in handy.
But using the EICAR test file has become more difficult over the years, because there are more and more security applications and devices that detect it. For example, downloading the EICAR test file in a corporate environment will often fail, because the anti-virus on your proxy will detect and block it.
That's why I decided many years ago to create a program that writes the EICAR test file to disk when it is executed. The anti-virus program should not detect the EICAR test string inside my program (per the EICAR test file convention), but they should detect it when it's written to disk. My program, EICARgen, worked fine for many years, but this has changed since a couple of years. Now many anti-virus programs detect EICARgen as a dropper (malware that writes its payload to disk).
I developed a new version: now when EICARgen is executed, nothing happens. It will only write the EICAR test file to disk when you pass it the proper argument: EICARgen write.
And now I come to the point of this diary entry. This new version of EICARgen is not only able to write the EICAR test file to disk, but also a couple of container files that contain the EICAR test file: a ZIP file, a PDF file and an Excel file. This is useful to test the settings of your anti-virus. For example, if your anti-virus is configured to scan the content of ZIP files, then you can use EICARgen to test this: EICARgen.exe zip eicar.zip.
I also have a video of EICARgen in action.
Please write a comment if you have other examples of file formats that you use when testing your anti-virus. Or if you have an idea for a file format to add to EICARgen.
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
2 months ago
isc.sans.edu
Dec 26th 2022
2 months ago