Loading...

Knowledge Center

How to use the EICAR anti-malware test file with McAfee products
Technical Articles ID:   KB59742
Last Modified:  4/7/2017
Rated:

Environment

All McAfee anti-malware products
European Institute for Computer Anti-virus Research (EICAR) anti-malware test file

Summary

The EICAR anti-malware test file was developed by the European Institute for EICAR. The EICAR test file is a legitimate DOS program that is detected as malware by anti-virus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

There are two ways to obtain the standard EICAR test file:
  • Download the file directly from www.eicar.org.
  • Use a text editor to create the file:
     
    1. Open a text editor such as Notepad.
    2. Copy the following string into the new file:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

      NOTE: The third character is the capital letter 'O', not the digit zero.
       
    3. Save the file as eicar.com.
There are multiple ways to use the EICAR test file to verify that your security software is working correctly:
NOTE: If you use an EICAR test file with your McAfee anti-virus product, it is important to note that although you can detect and block or quarantine the file, you cannot clean it. This is because the EICAR file does not contain any 'real' viral code; the EICAR test file is designed to make most anti-virus products react to it as if it were a real virus. However, any attempt to clean the EICAR file will fail. This is expected.

Solution

Verify that the On-Access Scanner is working correctly
To verify that your On-Access Scanner is working, disable On-Access scanning, copy the EICAR test file to your system, and attempt to run it.
  1. Disable On-Access scanning.

    NOTE: This procedure varies, depending on your operating system and product. See the appropriate User Guide for your software.

    For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

     
  2. Save or create a copy of the EICAR test file (see Summary above).
  3. Enable On-Access scanning.
  4. Attempt to launch the EICAR file.
If the On-Access Scanner is functioning correctly, it is detected as malware.

Solution

Verify that the On-Delivery Email Scanner is working correctly
To verify that your On-Delivery email scanner is working, use a Telnet utility to connect so that you can send the EICAR test string to a known recipient. If you attempt to send an email that contains the EICAR test string from your local mail client, your anti-virus software will detect the test string and block it.
  1. Click Start, Run, type cmd, and press ENTER.
  2. Type telnet <server.com> 25 and press ENTER.
    (where <server.com> is the name of the SMTP (outgoing) server of your mail server/provider)
  3. Type HELO <server.com> or "EHLO <server.com>" and press ENTER.
  4. Type MAIL FROM:you@server.com and press ENTER.
    You receive the response: 250 ok
  5. Type RCPT TO:yourname@yourserver.com and press ENTER.
    You receive the response: 250 ok
  6. To write the message, type DATA and press ENTER.
  7. On the first line type SUBJECT:yoursubject and press ENTER twice.
  8. Type your message, in this case the EICAR test string, and press ENTER:

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
     
  9. Type a single full stop (.) on a line by itself and press ENTER to send your message.
    You receive a response similar to one of the following examples:
     
    • Message accepted for delivery
    • 250 OK id=`a long id`
       
  10. To exit Telnet, type QUIT and press ENTER.

Solution

Verify that VirusScan Enterprise folder exclusions are working correctly

To verify VSE exclusions are correctly configured, copy the EICAR file to an excluded folder and attempt to run it. For more information on exclusions in VSE, see KB50998.
  1. Disable the Access Protection rule to prevent McAfee services from being stopped:
    1. Click Start, Programs, McAfee, VirusScan Console.
    2. Right-click Access Protection and select Properties.
    3. Click the Access Protection tab.
    4. In the lower left corner, deselect Prevent McAfee services from being stopped.
    5. Click Apply then OK.


      6.  
  2. Stop the McShield Service:
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click McAfee McShield and select Stop
       
  3. Save a copy of EICAR.COM to your local hard disk.
  4. Copy EICAR.COM to each excluded folder you want to test.
  5. Start the McShield Service: 
    1. Click Start, Run, type services.msc, and click OK.
    2. Right-click McAfee McShield and select Start.
    3. Close the Services Window.
       
  6. Run EICAR.COM:
    1. Browse to each folder where EICAR.COM was copied.
    2. Double-click EICAR.COM in each excluded folder.

      If the exclusions are configured properly, EICAR.COM runs without being detected. You can verify this by also running the file in a non-excluded location to verify the EICAR sample you are using is detected. VSE detects EICAR.COM as a virus and prevents its execution.
       
  7. Re-enable the Access Protection rule to prevent McAfee services from being stopped:
     
    1. Click Start, Programs, McAfee, VirusScan Console.
    2. Right-click Access Protection and select Properties.
    3. In the lower left corner, select Prevent McAfee services from being stopped.
    4. Click Apply then OK.
    5. Close the VirusScan Console.

Solution

Verify that the Anti-Spyware component or add-on is working correctly
To test that your anti-spyware software is working correctly, create an EICAR-PUO test file. The EICAR-PUO test file functions in the same way as the standard EICAR test string, but is detected by anti-spyware as a Potentially Unwanted Program instead of a virus.

To create the EICAR-PUO test file:
  1. Open Notepad or a similar plain text editor.
  2. Copy the following text string into a new Notepad file:

    X5]+)D:)D<5N*PZ5[/EICAR-POTENTIALLY-UNWANTED-OBJECT-TEST!$*M*L 
     
  3. Select File, Save.
  4. Type the file name and click Save.

    NOTES:
    • To make the file easily recognizable, Technical Support recommends that you save the file as EICAR-PUO.COM. The saved file size should be 68-70 bytes.
    • All features of the standard EICAR detection remain true for EICAR-PUO.
    • The EICAR-PUO test file is identified under the test category in the same way as the standard EICAR test file.
    • EICAR-PUO is an anti-spyware test file. Therefore, you must enable PUP detection to be successful.
 

Related Information

NOTE: This article combines content that was originally published in articles KB55194, KB54228, KB59742, and KB50133.

Previous Document ID

613376

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.