EICAR – The Most Common False Positive in the World
If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be
If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be wrong. Readers, if you haven’t yet met the EICAR test file, allow me to introduce you to it. If you have used the EICAR test file, let’s get a bit cozier with it.
If you ran this file through VirusTotal, 61 out of 62 antimalware scanners currently would detect the EICAR test file as if it were malicious. That’s because the EICAR file is actually a tool that was designed to help users verify their antimalware scanner is functioning properly. The EICAR test file is a harmless piece of code that most vendors have agreed to flag as if it was malicious. Essentially, it’s a false positive—by design—for your benefit. Some scanners detect it, some do not; neither outcome indicates that any scanner is better or worse than another.
If you have heard of EICAR, you may have seen it referred to as a “test virus,” but that’s inaccurate. Think of it more like the test button on a smoke detector in your home. The test button doesn’t simulate fire or smoke; it simply lets you know that the smoke detector is functional. The test button certainly doesn’t tell you anything about the quality of the smoke detector. Similarly, the EICAR test file does not simulate malware, it just causes a scanner to demonstrate how it would handle a threat it detected (assuming the vendor has chosen to recognize the file as malicious, that is.)
Using the EICAR Test File
Now that you know more about EICAR, let’s talk about why, how, and when you might want to use it.
Note: At the Virus Bulletin conference in 1999 I presented the paper, “Giving the EICAR Test File Some Teeth.” If you’re interested in the breadth of test scenarios I explored, you can read the paper on the Virus Bulletin website.
Where to Find EICAR
You’d think the easiest way to get your hands on this file would be to download it straight from www.eicar.org, except that your antimalware scanner might block the download. To get around that, you’d likely have to temporarily disable your web protection—WHICH I DO NOT RECOMMEND. Instead, I’ll show you how to create the file yourself.
Here are the step by step instructions.
Note: You could create the file in Microsoft® Word, but you’d have to save it as plain text. The test file must begin with the test string, and Word includes additional information in .doc and .docx files.
The file eicar.com, will run on older operating systems, but not on a 64-bit OS. When you run it on a compatible OS, the file will display this text.
You can change the display message to anything you like. In the following example, I’ve replaced the word EICAR with my name.
However, if you change it as I did above, it will no longer be a valid test file and should not be detected by your antimalware program.
At the 1999 Virus Bulletin conference, I asked researchers for EICAR-like test files to test script and macro detection. Although we still don’t have that, the Anti-Malware Testing Standards Organization (AMTSO) provides a set of security feature checks at www.amtso.org/security-features-check. Just be sure to remember that the security feature checks, like the EICAR test file, don’t indicate the quality of the product, but they can be used to ensure that certain features are functioning.
Questions? Comments? Let’s talk on the Webroot community forum.