Tuesday, January 06, 2009 Register
You are here Articles
   
Articles Minimize
Current Articles | Archives | Search
Using EICAR to test your AntiVirus Software
By SteveT on Thursday, March 29, 2007 :: Last Updated: Tuesday, April 17, 2007
1170 Views :: 0 Comments :: Article Rating :: Tips and Tricks, Knowledgebase, AntiVirus		  

I have had many requests from users for "Live" viruses so that a user can test their antivirus product to see that it is working, and what the alerts would look like when an actual virus is detected. Using a "Live" virus to do this is extremely risky, dangerous and unacceptable for the purpose of testing and demonstrating. To resolve this problem the antivirus community came up with a file for just this purpose, which is small in size, non-viral and easy to create and pass around. The file is called EICAR.COM. This file is a non-viral file, that antivirus software will react to as if it was a virus.

How to create this file:

  1. Copy the string below. (The easiest way is to highlight it, right click and select copy).

    Note:     If typing the string below into Notepad (or any other text editor), To keep things simple, the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter "O", not the digit zero.

  2. Open Notepad (Click the Start Button and select Run from the menu. Type Notepad and press Ok to start Notepad).

  3. From the Notepad menu bar, select Edit Paste. (This will paste the text into Notepad). Go to the end of the string and ensure that there are no spaces after the last asterisk.

  4. Next select Save AS from the notepad File menu.

  5. Name the file, EICAR.COM. It has to have a COM Extension for it to work. Select "All Files" from the Save as Type dialog.

    Note:     Remember to disable your memory resident portion of your AntiVirus program. In my examples, I will refer to Symantec's Norton AntiVirus/Symantec Antivirus, if you are a user of another antivirus product, please consult your users guide for instructions on how to disable the real time feature of that product.

    If you do not disable this feature, the memory resident real time scanner (Auto Protect for Norton/Symantec AntiVirus) you will not allow you to save the file and it will generate a virus alert. To disable Auto Protect (for Norton/Symantec AntiVirus users), place your mouse over the Auto Protect Icon in your system tray, right click and select "Disable". To re-enable Auto Protect, repeat the steps above and select "Enable".

 

Here is the Eicar Test string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

For your convenience, I have posted a working version of the EICAR.COM into a ZIP file, and password protected it. By password protecting the file, it will prevent any antivirus scanner from detecting it while it is in the ZIP file. If your antivirus real time scanner is running, it will detect the EICAR.COM file during the extraction process. To unzip the file, you will need to disable your real time scanner. The archive can be unzipped with PKZip (http://www.pkware.com), WinZip (http://www.winzip.com) or any other compatible archiving program. The archive has been setup to extract the test files to C:\AVTEST. If this folder does not exist, it will be created.

Remember that this is NOT a VIRUS!

Suggested Tests:

With your antivirus real time scanner disabled, after saving (or extracting) the Eicar.com files, open a Command Prompt (Click the Start Button, select All Programs -> Accessories-> Command Prompt). From the Command Prompt navigate to the folder where you saved the EICAR test string. Next type the following Commands:

EICAR

You will get the following results: EICAR-STANDARD-ANTIVIRUS-TEST-FILE. Next re-enable your antivirus real time scanner. Going back to your Command Prompt Window, type the following:

EICAR

This time your antivirus real time scanner should generate an alert. You can select delete, or quarantine, if you are a user of Norton/Symantec AntiVirus (note: this is dependent on the version of Norton/Symantec Antivirus and the options that are selected).  Using your antivirus product, conduct a scan of the folder where you saved the files to. If you had your antivirus application delete or quarantine the files, you will have to recreate them or extract them again from the zip archive. This time it should detect EICAR in the EICAR2.COM file. Once again, select either delete or quarantine.

Please see http://www.eicar.org for more information about EICAR.

For information from antivirus vendors on Eicar, please see the following virus encyclopedia information:

Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2003-121611-3209-99

Related Files:

Download EICAR Test String

]
Show your Support! Minimize
Did you find our site, programs and articles useful?
Make a donation to show your support!
Donate Today
Donate
Master CardVisaDiscoverAmerican Express

Protect Your Computer today withGet AVG Today

VB100
God Bless America
Privacy StatementTerms Of UseCopyright 1999-2008 by Top Cat Computing

BorderBoxedBlueBoxedGrayBlue Small width layoutMedium width layoutMaximum width layoutMaximum textMedium textSmall textBack Top!