The EICAR test file was given a shiny new coat of paint this September (2006). Nothing inside the file changed, but the file is no longer “The Anti-virus test file”, it is now “The Anti-Virus or Anti-Malware test file”. Why the change? To answer that let us first look at what the EICAR file is and what it is used for.
The EICAR test file is a file that most anti-virus vendors agreed to detect and treat as if it was a specific type of virus. The file itself is not a virus or harmful at all. The purpose of this file is to be able to test to see if your anti-virus product is functioning properly. There are some other uses for the file – You can pretend like there is a virus outbreak and test your procedures. In a 1999 presentation at Virus Bulletin I demonstrated a few other uses for the test file, but the one thing that the test file will never, ever, be able to do is to tell you anything about the quality of your anti-virus product. If a product detects EICAR it does not mean that the product also detects viruses or anything else. If an anti-virus product does not detect the EICAR test file then the product is not functioning properly, or the product has not been designed to detect the test file. It is entirely possible to have fantastic virus detection and not detect the EICAR test file at all. If a product does not detect the test file the other possibility is the file was not created properly. You can find the rules for making the file at http://www.eicar.org/anti_virus_test_file.htm. You can also download the file there.
So why the change from “The Anti-virus test file” to “The Anti-Virus or Anti-Malware test file”? Today people often use separate products for anti-spyware and other malicious programs and want to know that their anti-spyware or anti-adware program is functioning properly. One approach would have been to create new files for these programs, but there is no reason why they cannot use the EICAR test file as well.
Just remember, the test file does not indicate the quality of a product in anyway. If you hear someone saying that it does then you know they do not understand what they are talking about.
You may have heard of Spycar also. I’ll get to Spycar in another post real soon. Spycar is fundamentally different than EICAR. Like EICAR, Spycar does not tell you how well a product does at detecting spyware. If you hear of someone telling you it does then they do not understand spycar or software testing. Spycar can be used to assess some characteristics of specific types of security products, but it does not tell how effective the product is at detecting or cleaning spyware.
I’ll tell you all about Spycar in an upcoming blog!
Director of Technical Education
Author ESET Research, ESET