Does antivirus rain on your antivirus testing?

Suppose you need to test your antivirus software, but you don’t have a virus laying around to test with. How do you get a virus to test with? Sounds dangerous.

Luckily, smarter people than I have already thought of this problem. The solution is the EICAR test file/string. It’s a harmless string that most (almost all) antivirus vendors treat as a virus. The idea is that you can use this file instead of a live virus. If your antivirus alerts on it, you know all is good. If it doesn’t, then your antivirus doesn’t work.

So if you’re doing some security research* and need the EICAR test string you may run into a chicken and egg problem. You need the test string, but every time you download it your antivirus program deletes it right away!

I’ve made a simple dropper. By itself it doesn’t trigger most antivirus programs (props to ALYac, Ad-aware, BitDefender, Emsisoft, F-Secure, GData, MicroWorld-eScan, and nProtect).

The batch file will create a file named eicar.txt in the current directory. Hopefully your antivirus program will immediately alert when the file is created.

Here’s a zip file containing the dropper:

eicar_dropper.zip

And here’s the dropper itself:

* Hacking 🙂