- Disable on-access scanning.
NOTE: This procedure varies, depending on your operating system and product. See the appropriate product guide for your software.
For product documents, go to the Product Documentation portal.
- Save or create a copy of the EICAR test file.
- Enable on-access scanning.
- Try to start the EICAR file.
How to use the EICAR test file with our products
Technical Articles ID:
KB59742
Last Modified: 2023-02-22 22:28:33 Etc/GMT
Last Modified: 2023-02-22 22:28:33 Etc/GMT
Environment
Endpoint Security (ENS) Threat Prevention 10.x
VirusScan Enterprise (VSE) 8.8
European Institute for Computer Anti-Virus Research (EICAR) antimalware test file
VirusScan Enterprise (VSE) 8.8
European Institute for Computer Anti-Virus Research (EICAR) antimalware test file
Summary
EICAR developed the EICAR antimalware test file. The EICAR test file is a legitimate DOS program that's detected as malware by antivirus software. When the test file runs successfully (if it isn't detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"
There are two ways to obtain the standard EICAR test file:
There are two ways to obtain the standard EICAR test file:
- Download the file directly from the EICAR website.
- Use a text editor to create the file:
- Open a text editor such as Notepad.
- Copy the following string into the new file:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
NOTE: The third character is the capital letter 'O,' and not the digit zero.
- Save the file as
eicar.com .
There are multiple ways to use the EICAR test file to verify that your security software is working correctly.
NOTES:
NOTES:
- If you use an EICAR test file, it's important to note that although you can detect and block or quarantine the file, you can't clean it. The reason is because the EICAR file doesn't contain any 'real' viral code. The EICAR test file is designed to make most antivirus products react to it as if it were a real virus. But, any attempt to clean the EICAR file fails. This behavior is as expected.
- The EICAR test string is detected in any file that starts with the above mentioned 68 characters and is exactly 68 bytes long. Modifying or adding strings/text could result in the test file not being detected.
Click to expand the section you want to view:
- Save or create a copy of the EICAR test file.
- Enable on-demand scanning.
- Right-click the EICAR file and select Scan for threats from the pop-up menu.
- Press Windows+R, type
cmd , and press Enter. - Type
telnet <server.com>25 (where <server.com> is the name of the SMTP (outgoing) server of your mail server or provider) and press Enter. - Type
HELO <server.com> or"EHLO <server.com>" and press Enter. - Type
MAIL FROM:you@server.com and press Enter. You receive the response:250 ok - Type
RCPT TO:yourname@yourserver.com and press Enter. You receive the response:250 ok - Type
DATA and press Enter to write the message. - On the first line, type
SUBJECT:yoursubject and press Enter twice. - Type your message, in this case the EICAR test string, and press Enter:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
- Type a single full stop (.) on a line by itself and press Enter to send your message. You receive a response similar to one of the following examples:
Message accepted for delivery 250 OK id=`a long id`
- To exit Telnet, type
QUIT and press Enter.
- Disable the Access Protection rule to prevent our services from being stopped:
- Click Start, Programs, McAfee, VirusScan Console.
- Right-click Access Protection and select Properties.
- Click the Access Protection tab.
- In the lower left corner, deselect Prevent McAfee services from being stopped.
- Click Apply and then OK.
- Stop the McShield Service:
- Press Windows+R, type
services.msc , and click OK. - Right-click McAfee McShield and select Stop.
- Press Windows+R, type
- Save a copy of
EICAR.COM to your local hard disk. - Copy
EICAR.COM to each excluded folder that you want to test. - Start the McShield Service:
- Press Windows+R, type
services.msc , and click OK. - Right-click McAfee McShield and choose Start.
- Close the Services Window.
- Press Windows+R, type
- Run
EICAR.COM :- Browse to each folder where
EICAR.COM is copied. - Double-click
EICAR.COM in each excluded folder. If the exclusions are configured properly,EICAR.COM runs without being detected. You can verify this result by also running the file in a non-excluded location to verify that the EICAR sample that you're using is detected. VSE detectsEICAR.COM as a virus and prevents its execution.
- Browse to each folder where
- Re-enable the Access Protection rule to prevent our services from being stopped:
- Click Start, Programs, McAfee, VirusScan Console.
- Right-click Access Protection and select Properties.
- Click the Access Protection tab.
- In the lower left corner, select Prevent McAfee services from being stopped.
- Click Apply and then OK.
- Close the VirusScan Console.
To create the
- Open a text editor such as Notepad.
- Copy the following string into the new file:
X5]+)D:)D<5N*PZ5[/EICAR-POTENTIALLY-UNWANTED-OBJECT-TEST!$*M*L
- Select File, Save.
- Type the file name and click Save.
NOTES:- To make the file easily recognizable, Technical Support recommends that you save the file as
EICAR-PUO.COM . The saved file size is about 68–70 bytes. - All features of the standard EICAR detection remain true for
EICAR-PUO . - The
EICAR-PUO test file is identified under the test category in the same way as the standard EICAR test file. EICAR-PUO is an antispyware test file. So, you must enable potentially unwanted program detection to be successful.
- To make the file easily recognizable, Technical Support recommends that you save the file as
NOTE: AMSI only works with an operating system that supports it (for example, Windows 10 and Windows Server 2016).
- Enable AMSI integration in ENS.
- Start PowerShell and run the following command:
powershell echo '"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"'
- Verify that a detection is triggered for the threat:
EICAR!ams!XXXXX
- Enable ScriptScan in the ENS policy.
- Enable the ScriptScan plug-in in the browser.
- Open a text editor, such as Notepad.
- Create an
eicar.html file. Add the content below in the file:
NOTE: Modify the source path in the HTML. Reference the location whereeicar.html is created (for example,C:\temp\eicar.html ).
<!DOCTYPE html>
<html>
<head>
<script type='text/javascript' src='file:///C:/temp/eicar.js'></script>
</head>
<body>
<h1>An Eicar Test</h1>
<p id="demo">Click the button</p>
<button type="button" onclick="eicar()">Try it</button>
</body>
</html>
- Create an exclusion in the on-access scan policy for
eicar.js . If the exclusion isn't created, the on-access scan detects EICAR instead of ScriptScan. - Open a text editor, such as Notepad.
- Create an
eicar.js file inC:\temp . Add the content below in the file.
function eicar() {
alert("X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
}
- Open Internet Explorer and open
C:\temp\eicar.html . Click Try it. - Verify that a pop-up message displays. The message states "Internet Explorer restricted this webpage from running scripts or ActiveX controls."
- Verify that a detection is triggered for the threat:
JC/Eicar
Related Information
NOTE: This article combines content that was originally published in articles KB55194, KB54228, KB59742, and KB50133.
Previous Document ID (Secured)
613376