Knowledge Center

1. Disable on-access scanning.
   
   NOTE: This procedure varies, depending on your operating system and product. See the appropriate product guide for your software.
   
   
   For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.
   
    
2. Save or create a copy of the EICAR test file (see the Summary section above).
3. Enable on-access scanning.
4. Attempt to start the EICAR file.

1. Press Windows+R, type cmd, and press Enter.
2. Type telnet <server.com> 25 (where <server.com> is the name of the SMTP (outgoing) server of your mail server or provider) and press Enter.
3. Type HELO <server.com> or "EHLO <server.com>" and press Enter.
4. Type MAIL FROM:you@server.com and press Enter. You receive the response: 250 ok
5. Type RCPT TO:yourname@yourserver.com and press Enter. You receive the response: 250 ok
6. Type DATA and press Enter to write the message.
7. On the first line, type SUBJECT:yoursubject and press Enter twice.
8. Type your message, in this case the EICAR test string, and press Enter:
   
   X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    
9. Type a single full stop (.) on a line by itself and press Enter to send your message. You receive a response similar to one of the following examples:
   • Message accepted for delivery
   • 250 OK id=`a long id`
      
10. To exit Telnet, type QUIT and press Enter.

Verify that VirusScan Enterprise folder exclusions are working correctly
To verify VirusScan Enterprise (VSE) exclusions are correctly configured, copy the EICAR file to an excluded folder and attempt to run it. For more information about exclusions in VSE, see KB50998.

1. Disable the Access Protection rule to prevent McAfee services from being stopped:
   1. Click Start, Programs, McAfee, VirusScan Console.
   2. Right-click Access Protection and select Properties.
   3. Click the Access Protection tab.
   4. In the lower left corner, deselect Prevent McAfee services from being stopped.
   5. Click Apply and then OK. 
2. Stop the McShield Service:
   1. Press Windows+R, type services.msc, and click OK.
   2. Right-click McAfee McShield and select Stop.
3. Save a copy of EICAR.COM to your local hard disk.
4. Copy EICAR.COM to each excluded folder you want to test.
5. Start the McShield Service: 
   1. Press Windows+R, type services.msc, and click OK.
   2. Right-click McAfee McShield and select Start.
   3. Close the Services Window.
6. Run EICAR.COM:
   1. Browse to each folder where EICAR.COM was copied.
   2. Double-click EICAR.COM in each excluded folder. If the exclusions are configured properly, EICAR.COM runs without being detected. You can verify this result by also running the file in a non-excluded location to verify the EICAR sample that you are using is detected. VSE detects EICAR.COM as a virus and prevents its execution.
7. Re-enable the Access Protection rule to prevent McAfee services from being stopped:
   1. Click Start, Programs, McAfee, VirusScan Console.
   2. Right-click Access Protection and select Properties.
   3. Click the Access Protection tab.
   4. In the lower left corner, select Prevent McAfee services from being stopped.
   5. Click Apply and then OK.
   6. Close the VirusScan Console.

1. Open a text editor such as Notepad.
2. Copy the following string into the new file:
   
   X5]+)D:)D<5N*PZ5[/EICAR-POTENTIALLY-UNWANTED-OBJECT-TEST!$*M*L 
    
3. Select File, Save.
4. Type the file name and click Save.
   
   NOTES:
   • To make the file easily recognizable, Technical Support recommends that you save the file as EICAR-PUO.COM. The saved file size is about 68–70 bytes.
   • All features of the standard EICAR detection remain true for EICAR-PUO.
   • The EICAR-PUO test file is identified under the test category in the same way as the standard EICAR test file.
   • EICAR-PUO is an antispyware test file. So, you must enable potentially unwanted program detection to be successful.

1. Enable AMSI integration in ENS.
2. Start PowerShell and run the following command:
   
   powershell echo '"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"'
    
3. Verify that a detection is triggered for the threat: EICAR!ams!XXXXX

1. Enable ScriptScan in the Endpoint Security policy.
2. Enable the ScriptScan plug-in in the browser.
3. Open a text editor, such as Notepad.
4. Create an eicar.html file. Add the content below in the file:
   
   NOTE: Modify the source path in the HTML to point to the location where eicar.html is created (for example, C:\temp\eicar.html).
   
   <!DOCTYPE html>
   <html>
   
   <head>
   <script type='text/javascript' src='file:///C:/temp/eicar.js'></script>
   </head>
   <body>
   <h1>An Eicar Test</h1>
   <p id="demo">Click the button</p>
   <button type="button" onclick="eicar()">Try it</button>
   
   </body>
   </html>
    
5. Create an exclusion in the on-access scan policy for eicar.js. If the exclusion is not created, on-access scan detects EICAR instead of ScriptScan.
6. Open a text editor, such as Notepad.
7. Create an eicar.js file in C:\temp. Add the content below in the file.
   
   function eicar() {
     alert("X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*");
   }
    
8. Open Internet Explorer and open C:\temp\eicar.html. Click button.
9. Verify that a pop-up message displays. The message states "Internet Explorer restricted this webpage from running scripts or ActiveX controls."
10. Verify that a detection is triggered for the threat: JC/Eicar