The EICAR test

[AmberClad]

I'm a little confused about how and why the EICAR test works. It just looks like a plain text ASCII string to me. How exactly does it simulate a virus?

 

[lusher]

It doesn't. It's just a string that antivirus companies agree to detect.

 

[AmberClad]

This might just be me, but that hardly seems useful as a test of how good an AV program is at detecting real viruses in the wild. Especially the more dynamic ones that require heuristic algorithms.

 

[mechBgon]

Originally posted by: AmberClad
This might just be me, but that hardly seems useful as a test of how good an AV program is at detecting real viruses in the wild.

I'm certain that the EICAR test isn't meant to show how good an AV program is at detecting real viruses in the wild. Tangentially, this thread might interest you, a small test against in-the-wild malware scanned as soon after collection as practical.

 

[Zugzwang152]

It's meant to test antivirus programs' response to a virus without actually infecting the computer.

How are you sure that your antivirus will properly delete/quarantine/alert/whatever when it detects a virus? You can't really be sure without downloading a virus, so use the EICAR test file instead. That way, even if your antivirus program fails to catch it, you won't be infected.

 

[AmberClad]

Originally posted by: mechBgon
Tangentially, this thread might interest you, a small test against in-the-wild malware scanned as soon after collection as practical.

Thanks. That series of tests you guys did was a pretty interesting read. Lots of good info :thumbsup:.

 

[lusher]

It's just a test to see if your AV is functioning. That's all. It's not meant to test how good it is.

Anyone remember that there was a similar attempt a few years back to create a anti-trojan simulator test file for anti-trojans kind of like Eicar but for anti-trojans.

http://www.misec.net/trojansimulator/ by trojanhunter boys...

This one is slightly different from eicar, in that it actually does something as little as it is...

Some vendors choice to add a detection for it, many others did not.

 

[hans007]

its not going to test a heuristic scanner no. but your basic, real time scanner, or on demand scanner based on defs is a string search engine at some level. im fairly certain all of them at some part is a string search with possible more routines for more complicated virus.

 

[lusher]

I disagree