EICAR test file
   HOME

TheInfoList



OR:

The EICAR Anti-Virus Test File or EICAR test file is a computer file that was developed by the
European Institute for Computer Antivirus Research The European Institute for Computer Antivirus Research (EICAR) was founded in 1991 as an organization aiming to further antivirus research and improving development of antivirus software. Recently EICAR has furthered its scope to include the resear ...
(EICAR) and
Computer Antivirus Research Organization Caro may refer to: Places * Caro, Michigan, United States * Caro, Morbihan, France * Çaro, Pyrénées-Atlantiques, France Other uses * Caro (given name), including a list of people with the given name * Caro (surname), including a list of peo ...
(CARO), to test the response of computer
antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
(AV) programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real
computer virus A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a compu ...
. Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in more or less the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. Neither the way in which the file is detected nor the wording with which it is flagged are standardized, and may differ from the way in which real malware is flagged, but should prevent it from executing as long as it meets the strict specification set by
European Institute for Computer Antivirus Research The European Institute for Computer Antivirus Research (EICAR) was founded in 1991 as an organization aiming to further antivirus research and improving development of antivirus software. Recently EICAR has furthered its scope to include the resear ...
. The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or
archive An archive is an accumulation of historical records or materials – in any medium – or the physical facility in which they are located. Archives contain primary source documents that have accumulated over the course of an individual or ...
d, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. Many of the AMTSO Feature Settings Checks are based on the EICAR test string.


Design

The file is a
text file A text file (sometimes spelled textfile; an old alternative name is flatfile) is a kind of computer file that is structured as a sequence of lines of electronic text. A text file exists stored as data within a computer file system. In operating ...
of between 68 and 128
byte The byte is a unit of digital information that most commonly consists of eight bits. Historically, the byte was the number of bits used to encode a single character of text in a computer and for this reason it is the smallest addressable unit ...
s that is a legitimate
.com The domain name .com is a top-level domain (TLD) in the Domain Name System (DNS) of the Internet. Added at the beginning of 1985, its name is derived from the word ''commercial'', indicating its original intended purpose for domains registere ...
executable In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instruction (computer science), instructi ...
file (plain
x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introd ...
machine code In computer programming, machine code is any low-level programming language, consisting of machine language instructions, which are used to control a computer's central processing unit (CPU). Each instruction causes the CPU to perform a very ...
) that can be run by
MS-DOS MS-DOS ( ; acronym for Microsoft Disk Operating System, also known as Microsoft DOS) is an operating system for x86-based personal computers mostly developed by Microsoft. Collectively, MS-DOS, its rebranding as IBM PC DOS, and a few ope ...
, some work-alikes, and its successors
OS/2 OS/2 (Operating System/2) is a series of computer operating systems, initially created by Microsoft and IBM under the leadership of IBM software designer Ed Iacobucci. As a result of a feud between the two companies over how to position OS/2 ...
and
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
(except for 64-bit due to 16-bit limitations). When executed, the EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and then will stop. The test string was written by noted anti-virus researchers
Padgett Peterson Caro may refer to: Places * Caro, Michigan, United States * Caro, Morbihan, France * Çaro, Pyrénées-Atlantiques, France Other uses * Caro (given name), including a list of people with the given name * Caro (surname), including a list of peo ...
and Paul Ducklin and engineered to consist of
ASCII ASCII ( ), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Because of ...
human-readable characters, easily created using a standard computer keyboard. It makes use of
self-modifying code In computer science, self-modifying code (SMC) is code that alters its own instructions while it is executing – usually to reduce the instruction path length and improve performance or simply to reduce otherwise repetitively similar code, ...
to work around technical issues that this constraint imposes on the execution of the test string. The EICAR test string reads The third character is the capital letter 'O', not the digit zero. The string's
hash values A hash function is any Function (mathematics), function that can be used to map data (computing), data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or si ...
(68 bytes without any trailing newline character) are as follows:


Adoption

The developers of one anti-virus software,
Malwarebytes Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia ...
, have said that they did not add the EICAR test file to their database, because "adding fake malware and test files like EICAR to the database takes time away from malware research, and proves nothing in the long run". According to EICAR's specification, the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string. The test file can still be used for some malicious purposes, exploiting the reaction from the antivirus software: * A race condition involving symlinks can cause antiviruses to delete themselves. * A QR-encoded EICAR test file crashes some CCTV systems.


See also

*
GTUBE The GTUBE ("Generic Test for Unsolicited Bulk Email") is a 68-byte test string used to test anti-e-mail spam, spam systems, in particular those based on SpamAssassin. In SpamAssassin, it carries an antispam score of 1000 by default, which would be ...
 – a similar test for unsolicited bulk email (
email spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
)


References


External links

* (also known as the European Expert Group for IT-Security)
An Examination of the EICAR's Standard A-V Test Program
Assembly-language analysis of the EICAR test file
VirusTotal
Antivirus results from scanning the EICAR file * {{Standard test item Computer security software Test items pl:Europejski Instytut Badań Wirusów Komputerowych#Plik testowy EICAR