Testing an Anti-Virus Software

If you want some way of checking that you have deployed your anti-virus software correctly,there exists a test file to do that easily.

This test file has been provided to European Institute for Computer Anti-Virus Research (EICAR) for distribution as the "EICAR Standard Anti-Virus Test File". It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Every Anti-virus vendor do this test before every release of their product, in order to ensure that it really works. Hence most products react to it as if it were a virus.

The file is actually a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").

It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters.

In order to facilitate various scenarios, they provide 4 files for download at http://www.eicar.org. (You can download it by following "Anti-Malware Test File" link on the top right corner of the site.)

The first, eicar.com, contains the ASCII string as described above. The second file, eicar.com.txt, is a copy of this file with a different filename. Some readers reported problems when downloading the first file, which can be circumvented when using the second version. Just download and rename the file to "eicar.com". That will do the trick. The third version contains the test file inside a zip ARCHIVEe. A good anti-virus scanner will spot a 'virus' inside an ARCHIVEe. The last version is a zip ARCHIVEes containing the third file. This file can be used to see whether the virus scanner checks ARCHIVEes more than only one level deep.

Once downloaded run your Anti-Virus scanner. It should detect at least the file "eicar.com". Good scanners will detect the 'virus' in the single zip Archive and may be even in the double zip Archive. Once detected the scanner might not allow you any access to the file(s) anymore. You might not even be allowed by the scanner to delete these files. This is caused by the scanner which puts the file into quarantine. The test file will be treated just like any other real virus infected file.