European Institute for Computer Anti-Virus Research (EICAR) antimalware test file
Summary
The European Institute for EICAR developed the EICAR antimalware test file. The EICAR test file is a legitimate DOS program that is detected as malware by antivirus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".
There are two ways to obtain the standard EICAR test file:
NOTE: The third character is the capital letter 'O', not the digit zero.
Save the file aseicar.com.
There are multiple ways to use the EICAR test file to verify that your security software is working correctly.
NOTE: If you use an EICAR test file with your McAfee antivirus product, it is important to note that although you can detect and block or quarantine the file, you can't clean it. The reason is because the EICAR file does not contain any 'real' viral code. The EICAR test file is designed to make most antivirus products react to it as if it were a real virus. But, any attempt to clean the EICAR file fails. This behavior is expected.
Contents
Click to expand the section you want to view:
To verify that your on-access scanner is working, disable on-access scanning. Then, copy the EICAR test file to your system and attempt to run it.
Disable on-access scanning.
NOTE: This procedure varies, depending on your operating system and product. See the appropriate product guide for your software.
For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.
Save or create a copy of the EICAR test file.
Enable on-access scanning.
Attempt to start the EICAR file.
If the on-access scanner is functioning correctly, it is detected as malware.
To verify that your on-demand scanner is working, copy the EICAR test file to your system. Then, run a right-click scan on it.
Save or create a copy of the EICAR test file.
Enable on-demand scanning.
Right-click the EICAR file and select Scan for threats from the pop-up menu.
If the on-demand scanner is functioning correctly, it is detected as malware.
To verify that your On-Delivery Email Scanner is working, use a Telnet utility to connect so that you can send the EICAR test string to a known recipient. If you try to send an email that contains the EICAR test string from your local mail client, your antivirus software detects the test string and blocks it.
Press Windows+R, type cmd, and press Enter.
Type telnet<server.com>25 (where <server.com> is the name of the SMTP (outgoing) server of your mail server or provider) and press Enter.
Type HELO<server.com> or "EHLO<server.com>" and press Enter.
Type MAIL FROM:you@server.comand press Enter. You receive the response: 250 ok
Type RCPT TO:yourname@yourserver.com and press Enter. You receive the response:250 ok
Type DATA and press Enter to write the message.
On the first line, type SUBJECT:yoursubjectand press Enter twice.
Type your message, in this case the EICAR test string, and press Enter:
Disable the Access Protection rule to prevent McAfee services from being stopped:
Click Start, Programs, McAfee, VirusScan Console.
Right-click Access Protection and select Properties.
Click the Access Protection tab.
In the lower left corner, deselect Prevent McAfee services from being stopped.
Click Apply and then OK.
Stop the McShield Service:
Press Windows+R, type services.msc, and click OK.
Right-click McAfee McShield and select Stop.
Save a copy of EICAR.COM to your local hard disk.
Copy EICAR.COM to each excluded folder you want to test.
Start the McShield Service:
Press Windows+R, type services.msc, and click OK.
Right-click McAfee McShield and select Start.
Close the Services Window.
Run EICAR.COM:
Browse to each folder where EICAR.COM was copied.
Double-click EICAR.COM in each excluded folder. If the exclusions are configured properly, EICAR.COM runs without being detected. You can verify this result by also running the file in a non-excluded location to verify the EICAR sample that you are using is detected. VSE detects EICAR.COM as a virus and prevents its execution.
Re-enable the Access Protection rule to prevent McAfee services from being stopped:
Click Start, Programs, McAfee, VirusScan Console.
Right-click Access Protection and select Properties.
Click the Access Protection tab.
In the lower left corner, select Prevent McAfee services from being stopped.
Click Apply and then OK.
Close the VirusScan Console.
To test that your antispyware software is working correctly, create an EICAR-PUO test file. The EICAR-PUO test file functions in the same way as the standard EICAR test string. But, antispyware detects it as a potentially unwanted program instead of a virus.