Testing the Operation of the Product

Top  Previous  Next

The EICAR (European Institute for Computer Anti-Virus Research) Test helps testing performance of anti-virus programs that detect viruses using signatures. This test was designed specially so that users could test reaction of newly-installed anti-virus tools to detection of viruses without compromising security of their computers.

Although the EICAR test is not actually a virus, it is treated by the majority of anti-viruses as if it were a virus. On detection of this “virus”, Dr.Web anti-virus products report the following: EICAR Test File (NOT a Virus!). Other anti-virus tools alert users in a similar way. The EICAR test file is a 68-byte COM-file for MS DOS/MS Windows that outputs the following line on the console when executed:

EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

The EICAR test contains the following character string only:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To create your own test file with the “virus”, you may create a new file with the line mentioned above.

If Dr.Web for UNIX Internet Gateways operates correctly, the test file is detected during a file system scan regardless of the scan type, and the user is notified on the detected threat: EICAR Test File (NOT a Virus!).

An example of a command that checks operation of the program by means of EICAR test from the command line:

$ tail <opt_dir>/share/doc/drweb-common/readme.eicar | grep X5O > testfile && drweb-ctl rawscan testfile && rm testfile

From the file <opt_dir>/share/doc/drweb-common/readme.eicar (supplied with the product), this command retrieves a string that represent a body of the EICAR test file, then writes it to the file testfile located in the current catalog, checks the received file, and removes the created file.

The above-mentioned test requires write access to the current catalog. In addition, make sure that it does not contain a file named testfile (if necessary, change the file name in the command).

 

For details on conventions for <opt_dir>, <etc_dir>, and <var_dir>, refer to the Introduction.

If a test virus is detected, the following message is displayed:

<path to the current directory>/testfile - infected with EICAR Test File (NOT a Virus!)

If an error occurs during the test, refer to the description of known errors (see Appendix F. Known Errors).

If SpIDer Guard is enabled, a malicious file can be immediately removed or quarantined (depending on the configuration of the component). In this case, the command rm will inform that the file is missing, which implies that the monitor operates in normal mode.