14) Can I get a virus to test my antivirus package with?
Description
This article is from the Computer viruses FAQ, by David Harley D.Harley@icrf.icnet.uk, George Wenzel gwenzel@telusplanet.net and Bruce Burrell bpb@umich.edu with numerous contributions by others.
14) Can I get a virus to test my antivirus package with?
Well, I won't send you one... Most packages have some means of allowing
you to trigger a test alert. There is a standard EICAR test file which
is recognized by some packages.
Most reputable, current anti-virus products will now alert on the EICAR
anti-virus test file. See the following site for background on this file:
http://www.eicar.org/
To make use of the EICAR test string, type or copy/paste the
following text into a file called EICAR.COM, or TEST.COM or whatever.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Running the file displays the text "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".
The EICAR file isn't an indication of a scanner's -efficiency- at
detecting viruses, since (1) it isn't a virus and (2) detecting
a single virus or non-virus isn't a useful test of the number of
viruses detected. It's a (limited) check on whether the program
is installed, but I'm not sure it's a measure of whether it's installed
correctly. For instance, the fact that a scanner reports correctly that a
file called EICAR.COM contains the EICAR string, doesn't tell you
whether it will detect macro viruses, for example. In fact, if I wanted
to be really picky, I'd have to say that it doesn't actually tell you
anything except that the scanner detects the EICAR string in files with
a particular extension.
The string is supposed to trigger an alarm only when detected at
the beginning of the file. Some products are known to 'false alarm'
by triggering on files which contain the string elsewhere.
[I have Chengi Jimmy Kuo's permission to reproduce the following, a
propos of the last-but-one paragraph]:
"The purpose of the EICAR test file is for the user to test all the
bells and whistles associated with detecting a virus. And, if given
that one platform detects it, is everything else working? It is to
enable such things as:
Is the alert system working correctly?
Does the beeper work?
Does the network alert work?
Does it log correctly?
What does it say?
Is the NLM working? For inbound? For outbound?
Is compressed file scanning working?
Surprise MIS testing of AV security placements.
The file serves no purpose in testing whether one product is better
than another. Previously, every product had to supply its own test
methods. This allows for an independent standard.'
Continue to:
My Books
