If you are active in the anti-virus research field, then you will regularly receive requests for virus samples. Some requests are easy to deal with: they come from fellow-researchers whom you know well, and whom you trust. Using strong encryption, you can send them what they have asked for by almost any medium (including across the Internet) without any real risk.
Other requests come from people you have never heard from before. There are relatively few laws (though some countries do have them) preventing the secure exchange of viruses between consenting individuals, though it is clearly irresponsible for you simply to make viruses available to anyone who asks. Your best response to a request from an unknown person is simply to decline politely.
A third set of requests come from exactly the people you might think would be least likely to want viruses "users of anti-virus software".
They want some way of checking that they have deployed their software correctly, or of deliberately generating a "virus incident in order to test their corporate procedures, or of showing others in the organization what they would see if they were hit by a virus".
Obviously, there is considerable intellectual justification for testing anti-virus software against real viruses. If you are an anti-virus vendor, then you do this (or should do it!) before every release of your product, in order to ensure that it really works. However, you do not (or should not!) perform your tests in a "real" environment. You use (or should use!) a secure, controlled and independent laboratory environment within which your virus collection is maintained.
Using real viruses for testing in the real world is rather like setting fire to the dustbin in your office to see whether the smoke detector is working. Such a test will give meaningful results, but with unappealing, unacceptable risks.
Since it is unacceptable for you to send out real viruses for test or demonstration purposes, you need a file that can safely be passed around and which is obviously non-viral, but which your anti-virus software will react to as if it were a virus.
If your test file is a program, then it should also produce sensible results if it is executed. Also, because you probably want to avoid shipping a pseudo-viral file along with your anti-virus product, your test file should be short and simple, so that your customers can easily create copies of it for themselves.
The good news is that such a test file already exists. A number of anti-virus researchers have already worked together to produce a file that their (and many other) products "detect" as if it were a virus.
Agreeing on one file for such purposes simplifies matters for users: in the past, most vendors had their own pseudo-viral test files which their product would react to, but which other products would ignore.
This test file has been provided to EICAR for distribution as the "EICAR Standard Anti-Virus Test File", and it satisfies all the criteria listed above. It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as "EICAR-AV-Test").
The file is a legitimate DOS program which can be run under DOS or from Windows, and produces sensible results. When run, it prints the following message:EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product which supports the EICAR test file should "detect" it in any file which starts with the following 68 characters:
To keep things simple, the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter "O", not the digit zero. To create your own copy of the EICAR.COM test file, create a new file called EICAR.COM (from a DOS prompt, type COPY CON EICAR.COM). Type or copy the above 68 characters to the file and write the file by hitting F6 and then ENTER. This will create a new EICAR.COM file.
You are encouraged to make use of the EICAR test file. If you are aware of people who are looking for real viruses "for test purposes", bring the test file to their attention. If you are aware of people who are discussing the possibility of an industry-standard test file, tell them about www.eicar.org, and point them at this article.
In order to facilitate various scenarios, we provide the following files:
We have provided a number of different flavors of the EICAR.COM file. The variety of these files allows testing your Anti-Virus software solution to see how effective it is. It is highly unlikely that any single Anti-Virus solution will be able to successfully deal with all of the above variations.
- eicar.com - Contains the compiled ASCII string as described above.
- eicar.com.txt - A renamed eicar.com file. Some users reported problems when downloading eicar.com due to the .com extension.
- eicar_com.zip - This file contains the eicar.com file in a standard ZIP file.
- eicarcom2.zip - This is a zip inside a zip. This is a test for recursed virus scanning.
- eicarpw.zip - A password protected ZIP file. The password to unarchive the zip is "eicar".
- eicarsfx.exe - A self extracting ZIP archive. Simply run it from windows to extract the eicar.com file.
- eicar.rar - Compresses with the RAR utility.
- eicar.lzh - Compressed using the LHA utility.
- eicar.com.bz2 - Compressed with the bzip2 utility.
- eicar.tgz - Compressed with TAR and GZIP utility.
- eicar.tar - A TAR copy of eicar.com.
- eicar.tar.gz - Another copy of eicar.com first TAR then run through GZIP.
- eicar.com.gz - Compressed with GZIP.
- datetime.com - A small uninfected com file to verify you are receiving attachments.
Notes for Downloading EICAR files: It may be necessary to hold down the SHIFT key before clicking the Download button in order to keep the selected file from opening in your browser. If a file opens in your browser you can attempt to save save it to disk to test your Anti-Virus software, or click your browsers BACK button and hold the SHIFT key to download the selected file.
Notes for Emailing EICAR files: Only one file can be attached to a message. After clicking the Send button, click your browsers BACK button to select a different file to send to the same email recipient.
Important note: EICAR or Information Technologies can not and will not be held responsible in any way for any damage or loss associated with the use of these files. You download, email, or use these files at your own risk. Use these files only if you are sufficiently secure in the usage and operation of your Anti-Virus software. EICAR or Information Technologies can not and will not provide any assistance in dealing with these files. Please contact the manufacturer/vendor of your Anti-Virus software to provide such help.