Testing your Anti-Virus Software

The Anti-Malware Testfile 

This test file has been provided to EICAR (European Institute for Computer Anti-Virus Research) for distribution as the "EICAR Standard Anti-Virus Test File", and it satisfies all anti-virus test criteria they set out.

It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as "EICAR-AV-Test").

The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").

It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

You can copy this text line above into notepad or your favourite text editor. Then save the file as "test.com" or any name with a .com extension like showscan.com

Depending on the virus scanner, some will flag the test virus straight away, as it detects viruses as written to disk. Some will need you to read or run it as a program.

You can download as a ready made test file which contains exactly and only the text string above:

http://www.eicar.org/download/eicar.com

Of course the main problem with home virus scanners seems to be the lack of subscription to keep the virus scanner up to date.

If the virus scanner software product expires, it will only detect the viruses that existed during the length of anti-virus subscription.

It is therefore vital to keep a subscription commercially or use a free anti-virus scanner such as "avast" or "avg" which still may require a free yearly registration process.

I use Zonealarm Free and install the anti-virus component after the firewall is installed:

http://www.zonealarm.com/software/free-firewall/

It is inadvisable to download real viruses to test scanners with unless you really know what you are doing and have your own personal equipment to do this on from a home connection.

It is highly inadvisable to perform this type of live scanner testing in most normal IT workplaces (unless authorised) to prevent non compliance of IT security policy, risk and best practices.

 

Back to Technical Tips

Back To Main Page