Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in more or less the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. Neither the way in which the file is detected nor the wording with which it is flagged are standardized, and may differ from the way in which real malware is flagged, but should prevent it from executing as long as it meets the strict specification set by EICAR.[4]
The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. Many of the AMTSO Feature Settings Checks[5] are based on the EICAR test string.[5]
Design
The file is a text file of between 68 and 128 bytes[6] that is a legitimate .comexecutable file (plain x86machine code) that can be run by MS-DOS, some work-alikes, and its successors OS/2 and Windows (except for 64-bit due to 16-bit limitations). The EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" when executed and then will stop. The test string was written by noted anti-virus researchers Padgett Peterson and Paul Ducklin and engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard.[7] It makes use of self-modifying code to work around technical issues that this constraint imposes on the execution of the test string.[8]
The third character is the capital letter 'O', not the digit zero.
Adoption
According to EICAR's specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string.[11] The test file can still be used for some malicious purposes, exploiting the reaction from the antivirus software. For example, a race condition involving symlinks can cause antiviruses to delete themselves.[12]
See also
GTUBE – a similar test for unsolicited bulk email (email spam)
^Willems, Eddy. "EICAR's Test File History"(PDF). Eicar – European Expert Group for IT–Security. Archived from the original(PDF) on 16 December 2015. Retrieved 9 May 2020.