Testing Product Operation

The EICAR (European Institute for Computer Anti-Virus Research) test helps testing operation of anti-virus programs that detect viruses using signatures. This test was designed specifically so that users could test reaction of an installed anti-virus to a threat without putting their computers at risk.

Although the EICAR test program is not actually malware, it is treated by the majority of anti-viruses as a virus. Dr.Web anti-virus products report the following upon detection of this “virus”: EICAR Test File (NOT a Virus!). Other anti-viruses alert users in a similar way. The EICAR test program is a 68-byte .com file for MS-DOS/Windows that outputs the following message to the console or to a terminal emulator screen when running:

EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

The test program body contains only text characters that form the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

If you create a text file consisting of the string provided above, the resulting file will be the “virus” program.

If Dr.Web for Linux operates correctly, this file must be detected during a file system scan regardless of the scan type and the user must be notified of the detected threat: EICAR Test File (NOT a Virus!).

An example of a command to test operation of Dr.Web for Linux using the EICAR test program:

$ echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > testfile && drweb-ctl rawscan testfile && rm testfile

This command writes the string that represents the body of the EICAR test program to a file named testfile created in the current directory, scans the resulting file and removes this file afterwards.

The abovementioned test requires write access to the current directory. In addition, make sure that it does not contain a file named testfile (if necessary, change the file name in the command).

If the test “virus” is detected, the following message is displayed:

<path to the current directory>/testfile - infected with EICAR Test File (NOT a Virus!)

If an error occurs during the test, refer to the description of known errors.

If the SpIDer Guard file monitor is enabled, the file can be immediately deleted or quarantined upon detection of the threat (depending on component settings). In this case, after the threat notification is displayed, the rm command will inform that the file is missing, which implies that the monitor operates correctly.