Suppose you need to test your antivirus software, but you don’t have a virus laying around to test with. How do you get a virus to test with? Sounds dangerous.
Luckily, smarter people than I have already thought of this problem. The solution is the EICAR test file/string. It’s a harmless string that most (almost all) antivirus vendors treat as a virus. The idea is that you can use this file instead of a live virus. If your antivirus alerts on it, you know all is good. If it doesn’t, then your antivirus doesn’t work.
So if you’re doing some security research* and need the EICAR test string you may run into a chicken and egg problem. You need the test string, but every time you download it your antivirus program deletes it right away!
I’ve made a simple dropper. By itself it doesn’t trigger most antivirus programs (props to ALYac, Ad-aware, BitDefender, Emsisoft, F-Secure, GData, MicroWorld-eScan, and nProtect).
The batch file will create a file named eicar.txt in the current directory. Hopefully your antivirus program will immediately alert when the file is created.
Here’s a zip file containing the dropper:
And here’s the dropper itself:
0 1 2 3 4 |
@ECHO OFF set A=X5O!P%%@AP[4\PZX54(P set B=)7CC)7}$EICA set C=R-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* echo %A%^^%B%%C% > eicar.txt |
* Hacking 🙂