EICAR test file
The EICAR test file (name: THE ANTI-VIRUS OR ANTI-MALWARE TEST FILE) is a test pattern developed by the European Institute for Computer Antivirus Research (EICAR) and the Computer AntiVirus Research Organization , which can be used to test the function of antivirus programs .
The file is a text file with 68 ASCII characters and a resulting file size of 68 to 70 bytes if the carriage return and / or line feed have been added to the end of the file in the text editor. The text can thus be entered in any text editor . The file is benign and does no harm in any way, but should be recognized and displayed as a virus by all virus scanners. This can be used, for example, to test whether a virus scanner can correctly read an archive .
The EICAR test file is designed to be a COM executable on MS-DOS and compatible Microsoft Windows . When it is executed, it gives the message EICAR-STANDARD-ANTIVIRUS-TEST-FILE! on the screen and then exits itself. However, it is incompatible with 64-bit Microsoft Windows operating systems because the compatibility with 16-bit software has been removed there. Despite this incompatibility, it is also recognized by all common antivirus programs on 64-bit systems and identified as an EICAR test file.
Contents of the file
The machine language commands used in the executable file are selected so that only characters from the 7-bit ASCII character set appear. This rules out font errors and the file can be created with any text editor.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
In order to avoid the early detection and blocking of the test file by antivirus programs, it is not only offered as a COM file , but also as a simply renamed text file and a compressed ZIP archive for download.
Message from cmd.exe when executing the EICAR test file under Windows Vista 64-bit
Names used by virus scanners
Virus scanners usually recognize the file under the following names:
- Avast Antivirus : EICAR Test-NOT virus !!
- AVG Antivirus : EICAR_Test
- Avira Antivirus : Eicar-Test-Signature
- Bitdefender : EICAR test file (not a virus)
- ClamAV : Eicar-Test-Signature
- Computer Associates International : the EICAR test string
- Comodo Internet Security : ApplicUnwnt @ # 2975xfk8s2pq1
- Emsisoft Anti-Malware : EICAR test file (not a virus) (B)
- ESET : Eicar test file
- F-Secure : EICAR test file
- Fortinet : Eicar.Virus.Test.File
- G Data CyberDefense : EICAR test file (not a virus)
- Ikarus Security Software : EICAR-ANTIVIRUS-TESTFILE
- Kaspersky Anti-Virus : EICAR test file
- McAfee : EICAR test file
- Microsoft : Virus: DOS / EICAR_Test_File
- ESET NOD32 Antivirus : Eicar test file
- Panda : EICAR-AV-TEST-FILE
- Securepoint Antivirus Pro: EICAR test file
- Sophos : EICAR AV test
- Symantec : EICAR Test String
- Trend Micro : Eicar_test_file
Others
- As with the EICAR test file, the GTUBE string is also used in anti- spam solutions .
- On Microsoft's English website, the EICAR test file is correctly described as a virus dummy - but, curiously, still with the warning level "severe". In the anti-malware programs Microsoft Security Essentials and Windows Defender , if the test file is found, a warning is also issued about an allegedly serious infection. Microsoft has been providing hair-raising misinformation for years (as of 2020) as a short description: "This program is dangerous. It replicates itself by infecting other files. Recommended action: Remove this software immediately."
Individual evidence
Web links
- The Anti-Virus test file (Eicar) (original English website)
- Disassembled source code ( Memento from April 12, 2012 in the Internet Archive )
- The Eicar file on www.virustotal.com