Talk:EICAR test file

Computer Security: Computing Low‑importance

This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles

Low

This article has been rated as Low-importance on the project's importance scale.

This article is supported by WikiProject Computing (assessed as Low-importance).

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Potential Copyright Problem?

I am wondering whether it is actually ok to include the file itself here? isn't it copyrighted by eicar or whoever created it? or is too short to be copyrightable at all? i would be very happy if anyone could shed some light on this...User:RobertLemmen —Preceding unsigned comment added by 93.97.72.81 (talk) 20:03, 19 March 2010 (UTC)[reply]

"You are encouraged to make use of the EICAR test file" according to EICAR's page about the test file. Or are you referring to WMF policy that is intentionally stricter than copyright, like the concept of a "not free enough" license on Commons? --Damian Yerrick (talk | stalk) 14:13, 31 October 2011 (UTC)[reply]

Confirmed successes and failures

Please give the date (preferably in a signature) and nature of the scan (i.e. plaintext, encrypted, hdd, email, ...). Be sure to fully update your software so that your signed date is accurate.

Doesn't this violate Wikipedia's policy on No Original Research? --DragonHawk 20:39, 1 July 2006 (UTC)[reply]

Yes, but not badly, and at least the results are verifiable. Btw, "McAfee Total Protection for Small Businesses" obliterated the thing without giving me a chance to tell it not to. Stevage 13:48, 9 August 2006 (UTC)[reply]

Successes

NOD32 string saved as a plaintext or .com file. -- malo (tlk) (cntrbtns) 03:53, 28 June 2006 (UTC)[reply]
ClamWin 0.88.2.3 recognizes all four test files downloadable at [1] 74.132.209.231 18:08, 28 June 2006 (UTC)[reply]
AntiVir version 7, when saved as a .com file -- malo (tlk) (cntrbtns) 20:26, 28 June 2006 (UTC)[reply]
Avast! 4.7, only .com file during an active scan. -- malo (tlk) (cntrbtns) 20:26, 28 June 2006 (UTC)[reply]
BitDefender version 8, plaintext and .com files -- malo (tlk) (cntrbtns) 20:26, 28 June 2006 (UTC)[reply]
AVG Free Anti-Virus version 9, plaintext, .com and in a .zip file 78.149.194.150 (talk) 19:14, 3 June 2010 (UTC)[reply]
Kaspersky Internet Security 6, real-time scan: -- grawity 14:12, 9 September 2007 (UTC)[reply]
- all four files at "High" level
- all four at "Recommended"+"Scan archives"
- plaintext and COM at "Recommended"
- none at "Low" level.
Microsoft Security Essentials recognizes all four test files at [2] with real-time scan -- crazyburns 16:56, 1 October 2010 (UTC)[reply]

Failures

Grisoft AVG Anti-Virus doesn't appear to recognize the string, even in plaintext. 74.132.209.231 03:02, 28 June 2006 (UTC)[reply]
- At the moment of my writing, AVG Free Edition 9.0 says "Virus identified EICAR_test" for a file of any extension with proper EICAR test contents. Gryllida (page, talk, contributions) 10:59, 26 November 2009 (UTC)[reply]
- I have posted it above. 78.149.194.150 (talk) 19:15, 3 June 2010 (UTC)[reply]
ClamWin 0.88.2.3 doesn't appear to recognize the string when copy/pasted into a text editor (used UltraEdit). 74.132.209.231 17:55, 28 June 2006 (UTC)[reply]
AntiVir version 7, when saved as a plaintext file -- malo (tlk) (cntrbtns) 20:26, 28 June 2006 (UTC)[reply]
Avast! 4.7, plaintext completely unrecognized. -- malo (tlk) (cntrbtns) 20:26, 28 June 2006 (UTC)[reply]

Why do they detect it?

The one thing this article doesn't tell me is *why* AV programs pick it up. Are they specially taught to recognise this string, or is there something inherently "virus-like" in the file? When you think about it, since the file *is* benign, there's no particular reason they should do anything about it. It's like calling the fire brigade to tell them you're about to set off the fire alarm, then complaining when they don't show up. Stevage 13:48, 9 August 2006 (UTC)[reply]

It's more like holding fire drills, or testing your smoke alarm -- without starting a fire. Detecting the file means that your virus scanner is probably working properly. Furthermore, there's the possibility of testing your virus scanner's capability to detect viruses in compressed files, for example, without having to get an actual virus and then get your virus scanner to check it. You may want to use the Wikipedia:Reference desk for questions like this in future. Dysprosia 07:21, 10 August 2006 (UTC)[reply]

Reference desk? No, the article should explain more about how it works. heqs 14:33, 23 October 2006 (UTC)[reply]

The above guy has a point. If he still had to ask questions about basic information then this article needs expanding. The Kinslayer 12:26, 10 January 2007 (UTC)[reply]

The above point is still true today; it's not at all clear why this would be picked up as a virus by any scanning software. Tempshill (talk) 22:51, 6 April 2009 (UTC)[reply]

No, there is nothing *inherently* 'virus-like' about these files - nor is there about real viruses; this is why virus scanners must constantly update to keep up with new viruses. Virus scanners work, essentially, by matching patterns of bytes found in files on the user's machine with patterns of bytes found in their database of *known* viruses. When new viruses are found, new patterns are added to the database and this is pushed out as an automatic update to the virus scanning software. This file is detected as a virus (even though it isn't) because the virus software vendors have added its pattern to their database.62.232.250.50 (talk) 11:35, 9 November 2011 (UTC)[reply]

It makes use of self-modifying code

It makes use of self-modifying code to work around technical issues that this constraint makes on the execution of the test string.

What does this sentance mean? Regards, Ben Aveling 05:17, 28 November 2006 (UTC)[reply]

See: Self Modifying Code 62.232.250.50 (talk) 12:11, 9 November 2011 (UTC)[reply]

I have restored this sentence, because it was very significative to my understanding of the EICAR file itself.

The executable code should end with two assembly language instructions: INT 0x21, INT 0x20, which respectively means "print that string" and "end". However, the instruction code for INT is 0xCD, which is not an ASCII character available from keyboard (though it is printable).

The actual file ends with the four-byte instruction pair DEC AX; SUB CX,[BX+SI+2A], which is responsible for the H+H* substring.

The EICAR file overwrites these last four bytes, in order to get the 0x21, 0x20 sequence. Most of the previous code (before the string offset) is only purposed for modifying this bytes (and passing the parameters to INT 21h).

Initial condition: AX=0 (I don't know why... it seems to be a precondition)

CS:0101  354F21        XOR     AX,214F    //AX=214F
CS:0104  50            PUSH    AX          
CS:0105  254041        AND     AX,4140    //AX=0140
CS:0108  50            PUSH    AX
CS:0109  5B            POP     BX         //BX<-AX

Now we have BX=0140

CS:010A  345C          XOR     AL,5C       
CS:010C  50            PUSH    AX
CS:010D  5A            POP     DX
CS:010E  58            POP     AX
CS:010F  353428        XOR     AX,2834
CS:0112  50            PUSH    AX
CS:0113  5E            POP     SI

At this point we have SI = 097B (the code is weird because the keyboard-ASCII requirement).

CS:0114  2937          SUB     [BX],SI

word ptr [BX] contains 2B48, hence 2B48-097B = 21CD (note the bytes are reverted within the word).

CS:0116  43            INC     BX
CS:0117  43            INC     BX
CS:0118  2937          SUB     [BX],SI

Increment BX by 2, and repeat the trick. Now word ptr [BX] contains 2A48, hence 2B48-097B = 20CD.

CS:011A  7D24          JGE     0140

This condition always evaluates true. The string EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$ is stored in CS:011B through CS:0139.

CS:0140  CD21          INT     21
CS:0142  CD20          INT     20

Voilà!

Rjgodoy (talk) 09:48, 25 March 2008 (UTC)[reply]

If it is not clear enough I could try to explain it better... Rjgodoy (talk) 09:54, 25 March 2008 (UTC)[reply]

Update to the Adoption section

The Adoption section says that one Antivirus/Antimalware/EDR product doesn't detect it - Malwarebytes. However, it does seem to both detect and block the file, even if it doesn't show on VirusTotal

2603:6011:9403:B900:C917:690F:57A0:8737 (talk) 12:02, 10 May 2022 (UTC)[reply]

An updated version for non-16-bit-compatible NTVDM? Similar examples?

EICAR ever make one for newer OSes? If so, can someone from EICAR add it to the article? Interestingly, there's a malware called "Emptyspace" that is a text file that looks blank but is in fact executable. Not sure if that should be mentioned as it uses a similar technique. 74.196.181.80 (talk) 16:57, 12 February 2024 (UTC)[reply]