EICAR is a group of security experts that research malware. Quite a while back, they created a test program that all antivirus scanners would recognize as being a “virus” file.
It has no virus attributes. In fact, it’s just a string of characters:
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
That’s it. Nothing more. It’s not even designed to “simulate” a virus attack. It’s just something to test your antivirus product to make sure it’s detecting things, useful for testing security in an organization, etc., and virtually all antivirus scanners recognize it.
Enter Jan Monsch, a security expert who decided to embed this EICAR file into various versions of Word files and then run the results against VirusTotal.com.
He came up with results that to the casual observer, would be disturbing. AVG, Ewido, NOD32 and others all came in with zero detection of this file, while Microsoft and McAfee detected all the “samples”. Link here.
I don’t want to malign Jan, as his heart is in the right place. However, although well meaning, it’s not an entirely useful test.
Here’s why, and I’ll paraphrase virus expert Andreas Marx:
The EICAR test file was used incorrectly. An EICAR test file is not suitable for this kind of testing, as it should only be detected in its plain 68 byte version, according to the definition which can be found at the EICAR test site.
No AV product should be able to detect this file in other forms, if they would follow the strict definition which has been put into place for security reasons. For example, a while back, there was a virus that propagated itself by a .bat file. Trying to evade detection, it started with the EICAR Test Signature and then executed the virus. Many AV companies detected this BAT virus as being an EICAR test file, even though it was a very dangerous program. Similar issues can happen with other scripting languages, so the EICAR Test File definition was adjusted so that the file not only has to start with the EICAR Test File code, but it has a maximum length and only some whitespace characters (e.g. a CR/LF line-feed) were allowed.
Some AV companies are following this rule in a strict way (and they are blamed for not detecting the file, even they are following the rules), and other antivirus companies don’t care either way, so they are still detecting an EICAR test file — even if nothing should be detected.
Using command line scanners for the test: VirusTotal.com was used for the tests, which only uses command line scanners. The results of a command line scanner versus a full antivirus program can be different, such as the case of packed, archived or embedded malware.
Also, keep in mind that an embedded EICAR signature might or might not be stopped at a gateway; and it might or might not be stopped at the desktop by the on-demand scanner; but as long as the on-access guard is active, there should be no issue with the virus. If it gets in a state where it might be executable (e.g. extracted to a temp folder on disk), the real-time protection should be able to stop it.
The theory behind the test (embedding different viruses inside of different flavors of Word) is not entirely without merit — although one wonders if MS Word would even execute a piece of malware in this type of scenario. But this gets me back to a subject that I will keep harping on — simulators are not real world. We have good, solid nasty malware that’s freely available from the security research community for these types of tests.
Can we please all agree to stop using simulators for research and start testing with real malware? That’s what Vmware is for!
Alex Eckelberry
Update/Clarification: Jan explains that this exercise was to be used to test gateway scanning engines, which may change the argument about his not using a full antivirus product. More here. (I am in discussion with Jan about running a new test with real malware, which may be an interesting and potentially useful exercise.)