Test “virus” EICAR and its modifications

This test “virus” has been specially developed by EICAR (The European Institute for Computer Antivirus Research) for testing anti-virus products.

The test “virus” IS NOT a real virus, because it does not contain code that can harm your computer. However, most anti-virus products identify EICAR as a virus.

Never use real viruses to test the operation of an anti-virus product!

You can download this test “virus” from the EICAR’s official website at http://www.eicar.org/anti_virus_test_file.htm.

Before you download the file, you have to pause the computer’s anti-virus protection, because otherwise the application would identify and process the test “virus” downloaded from the anti_virus_test_file.htm web page as an infected object transferred via HTTP.

The application identifies the file downloaded from the EICAR website as an infected object containing a virus that cannot be disinfected and performs the actions specified for this type of object.

You can also modify the standard test “virus” to verify the operation of the application. To modify the “virus”, change the content of the standard test “virus” by adding one of the prefixes to it (see table below). To modify the test “virus”, you can use any text or hypertext editor, such as Microsoft Notepad or UltraEdit32.

First column of the table (see below) contains the prefixes, which should be added at the beginning of the standard test “virus” to create its modifications. The second column lists all possible statuses assigned to the object, based on the results of the scan by the application. The third column indicates how the application processes objects with the specified status. Please note that the actions performed in respect of the objects are determined by the application’s settings.

Once you have added a prefix to the test “virus” save the resulting file under a name reflecting the “virus” modification, for example, having added the DELE- prefix, save the file as eicar_dele.com.

Make sure you have resumed anti-virus protection after downloading the test “virus” and creating its modifications.

Modifications of the test virus

Prefix

Object status

Object processing information

No prefix, standard test “virus”.

Infected.

Object contains code of a known virus. You cannot disinfect the object.

The application identifies the object as a non-disinfectable virus.

An error occurs while attempting to disinfect the object; the action performed is that specified for non-disinfectable objects.

CORR-

Corrupted.

The application could access the object but could not scan it because it is corrupted (for example, the file structure is corrupted, or the file format is invalid). You can find the information that the object has been processed in the report on the application’s operation.

WARN-

Suspicious.

The object contains code of an unknown virus. You cannot disinfect the object.

The object has been considered suspicious. At the time of detection, the application databases contain no description of the procedure for disinfecting this object. You will be notified when an object of this type is detected.

SUSP-

Suspicious.

The object contains modified code of a known virus. You cannot disinfect the object.

The application detected a partial correspondence of a section of object code with a section of code of a known virus. At the time of detection, the application databases contain no description of the procedure for disinfecting this object. You will be notified when an object of this type is detected.

ERRO-

Scan error.

An error occurred during the scan of an object. The application could not access the object, since the integrity of the object has been breached (for example, no end to a multivolume archive) or there is no connection to it (if the object is scanned on a network resource). You can find the information that the object has been processed in the report on the application’s operation.

CURE-

Infected.

Object contains code of a known virus. Disinfectable.

Object contains a virus that can be disinfected. The application disinfects the object; the text of the virus body is replaced with the word CURE. You will be notified when an object of this type is detected.

DELE-

Infected.

Object contains code of a known virus. You cannot disinfect the object.

The application identifies the object as a non-disinfectable virus.

An error occurs while attempting to disinfect the object; the action performed is that specified for non-disinfectable objects.

You will be notified when an object of this type is detected.

Test "virus" EICAR and its modifications