Testing Product Operation

Top  Previous  Next

The EICAR (European Institute for Computer Anti-Virus Research) test helps testing performance of anti-virus programs that detect viruses using signatures. This test was designed specially so that users could test reaction of newly-installed anti-virus tools to detection of viruses without compromising security of their computers.

Although the EICAR, test is not actually a virus, it is treated by the majority of anti-viruses as if it were a virus. On detection of this “virus”, Dr.Web anti-virus products report the following: EICAR Test File (NOT a Virus!). Other anti-virus tools alert users in a similar way. The EICAR test file is a 68-byte COM-file for MS DOS/MS Windows that outputs the following line on the terminal screen or to the console emulator when executed:

EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

The EICAR test contains the following character string only:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To create your own test file with the “virus”, you may create a new file with the line mentioned above.

If Dr.Web for Linux operates correctly, the test file is detected during a file system scan regardless of the scan type and the user is notified on the detected threat: EICAR Test File (NOT a Virus!).

An example of a command that checks operation of the program by means of EICAR test from the command line:

$ tail /opt/drweb.com/share/doc/drweb-common/readme.eicar | grep X5O > testfile && drweb-ctl scan testfile && rm testfile

From the file /opt/drweb.com/share/doc/drweb-common/readme.eicar (supplied with the product), this command retrieves a string that represents the body of the EICAR test file, then writes it into a file named testfile created in the current directory, then scans the resulting file and removes this file afterwards.

The above-mentioned test requires write access to the current catalog. In addition, make sure that it does not contain a file named testfile (if necessary, change the file name in the command).

If a test virus is detected, the following message is displayed:

<path to the current directory>/testfile - infected with EICAR Test File (NOT a Virus!)

If an error occurs during the test, refer to the description of known errors.

If SpIDer Guard is enabled, a malicious file can be immediately removed or quarantined (depending on the configuration of the component). In this case, the command rm will inform that the file is missing, which implies that the monitor operates in normal mode.