September 22, 2009 - Testing Virus Recognition - The EICAR Anti-Virus Test File

We are currently building a product that allows users to upload a file that we will then place on a publicly-available website.  One of the requirements is that we check the uploaded file for viruses first.  This presented an interesting testing opportunity.

Our enterprise anti-virus software can scan the uploaded files, and delete them if a virus is detected before they are moved to the externally-accessible location.  But how to test this?  We couldn't use a real virus - that's far too dangerous.

Fortunately, there's a nice solution.  Eicar, the European Institute for Computer Antivirus Research, in conjunction with most major anti-virus vendors, has created a file that is not a virus itself, but will cause most anti-virus software to react as if it were a virus.

If you copy the following 68-character string into notepad, and save it to a text file, your anti-virus software will treat that file as if it contained a virus:

X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

(Or download one of the files from http://www.eicar.org/anti_virus_test_file.htm)

For my tests, I simply had to take this file to a machine that had its own anti-virus software temporarily turned off, then submit it to the new product.

• Test completed. 
• The product reacted as expected.
• The appropriate message was written to the event log.
• The appropriate warning message was displayed to the user.
• The "pseudo-infected" file was deleted and not made public.
• Test Passed!

It's fun to learn a new technique.

See also:

http://en.wikipedia.org/wiki/EICAR_test_file
http://antivirus.about.com/od/whatisavirus/a/eicar.htm
http://www.anti-malware.info/weblog/2006/09/eicar-anti-virus-test-file-changed.html