Testing the Anti-Virus

Testing the Anti-virus with EICAR file

The EICAR (European Institute for Computer Anti-Virus Research) test file helps to test performance of anti-virus programs that detect threats using signature analysis.

For this purpose, most of the anti-virus software vendors generally use a standard test.com program. This program was designed specially so that users could test reaction of newly-installed anti-virus tools to threat detection without compromising security of their computers. Although the test.com program is not actually malicious, it is treated by the majority of anti-viruses as if it were a threat. On detection of this file, Dr.Web reports the following: EICAR Test File (Not a Virus!). Other anti-virus tools alert users in a similar way.

The test.com program is a 68-byte COM-file that prints the following line on the console when executed: EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

The test.com file contains the following character string only:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To make your own test file with the “threat”, create a new file with this line and save it as test.com.

Note

When running in the Optimal mode, SpIDer Guard does not terminate execution of an EICAR test file and the file is not processed as malicious since it does not pose any actual threat to your system. However, if you copy or create such a file in your system, it will be detected by SpIDer Guard and moved to Quarantine by default.

Testing the Anti-Virus with CloudCar file

To check the Dr.Web Cloud service, use the CloudCar test file by AMTSO (Anti-Malware Testing Standards Organization). This file is specially created to check cloud service operation. It is not a virus.

To check Dr.Web Cloud operation

1.Temporarily disable the SpIDer Gate component, if it is installed. Make sure the usage of the Dr.Web Cloud service is enabled.

2.Download the test file. For that, go to http://kettle.dev.drweb.com/public/cloudcar.exe (EXE, 7 KB).

3.If the SpIDer Guard is installed and enabled, Dr.Web automatically moves the file to quarantine after the file is saved to the computer. If the SpIDer Guard component is not installed or disabled, scan the downloaded file. For that, right-click on the file name and select the Check with Dr.Web option in the context menu.

4.Check that the test file is processed by Dr.Web as CLOUD:AMTSO.Test.Virus. The CLOUD prefix in the threat name indicates correct Dr.Web Cloud operation.

5.Enable the SpIDer Gate component if it has been disabled according to step 1 of this instruction.