Consumer Automotive

Technology Retail Life Sciences & Healthcare

Energy & Chemicals

EICAR‘s TEST FILE HISTORY

Eddy Willems

EICAR Board Member

Security Evangelist – G DATA Software AG

The 2 most common questions asked:

1. Don’t the anti-virus companies write all the viruses?

2. Will you give me some viruses to test my AV with?

The EICAR test file?

EICAR HISTORY

1990: Inaugural meeting of international experts initiated by Dr. Alan Solomon

1991: 27 September Cultural Centre of Auderghem in Brussels, Belgium EICAR was founded (amongst those present were Vesselin Bontchev, Frans Veldmann, Tjark Auerbach, Roger Riordan, Paul Ducklin, Alan Solomon, Christoph Fischer etc...and me)

First constitution was put together (also a code of ‘good’ conduct)

CARO (Computer Anti-Virus Research Organisation): informal group of AV experts preceded EICAR (more formal) founded by a similar set of people

Historic joint project in the early nineties: creation of the EICAR test file by CARO members and published by EICAR

WHAT IS THE EICAR TEST FILE?

Something you should know if you are coming to this conference ...

First of all .. it is not a virus

It’s a tool designed to determine if an antivirus product is installed properly. This is a small .COM file used to test the “effectiveness” and operability of on-access and/or on-demand scanning of an antivirus product.

This tool is an industry recognized testing file.

Gives a feeling of safety: without the worry of testing your package with real viruses, which could give problems in a production environment ...

WHERE TO FIND IT?

On the EICAR website : www.eicar.org

Included with AV products in the readme files or

documentation

On other anti-virus related websites

The purpose of the EICAR test file

according to the original creators:

• Indicate whether AV is installed ‘correctly’

• Show what happens when the AV finds a virus

• Indicate which messages are displayed or logged

• Show how it handles ‘custom warnings’ and notifications

to the system admin over the network

EVOLUTION: THE DEFINITION IN SHORT

The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE").

It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the test file should detect it in any file providing that the file starts with the following 68 characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To keep things simple, the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter "O", not the digit zero.

Oh no ....... Problems coming up

EVOLUTION: PROBLEM1- A VIRUS NAMED BAT/BWG.A@MM

Internet worm (not actually In The Wild)

Generated by construction kit Batch Worm Generator

The most interesting thing about this virus is that it is an attack on the EICAR test file. Bat/Bwg.a@MM starts with the EICAR string, which when the worm is run, generates a "File not found" error but the execution goes on. Many AV products misdetected this virus as EICAR test file when it first appeared .

EVOLUTION: PROBLEM 2 - DISCUSSIONS ON VARIOUS FORUMS

This event created a lot of debate in various anti-virus

forums

Proposals were even made to change the file completely

Most AV vendors made their own changes to ensure they

detected the EICAR test file properly ... But was an

uncoordinated response enough?

EVOLUTION: THE NEW DEFINITION

The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE").

It is also short and simple - in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the test file should detect it in any file providing that the file starts with the following 68 characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z.

To keep things simple ...

It was released at the beginning of the year 2003 and published on the site May 1 2003

SUMMARY CUM LAUDE

Close to eradicating risk of EICAR false negatives altogether

Can’t prevent inappropriate use in ways that were never

intended => misreading or ignoring formal specification!

+++

And 2 years later Microsoft asked that they could include the

EICAR test file within their anti-spyware product at that time!

=> So it became an anti-malware test file

Other Attempts …other Tests

FUN PART 1 DOREN ROSENTHAL UTILITIES

Based on a false premise: detection of real virus = detection

of a simulation

Registered version included a real virus!

AV industry forced to add detection of a non-virus because

some testers using this for detection testing....

FUN PART 2A SPYCAR

See http://www.spycar.org

Intended to test anti-spyware programs by observing their

response to certain behaviours using not malicious tools

They illustrate clearly the difference between an installation

check file like EICAR and an attempt to create a different

kind of tool for evaluating products

In practice: Limited use because vendors can and do write

detections based on behaviour as well as static signatures

FUN PART 2B CLOUDCAR

Intended to test anti-malware programs in-the-cloud

detection

Not a standard

Nobody knows about it …

FUN PART 3 POSTINGS TO ALT.COMP.VIRUS, BUGTRAQ, ETC

The poster (using the handle “keepitsecret”) went on to suggest that

“using ESATF ["EICAR Standard Antivirus Test File"] is a cool and legal

way to learn how AVs do their job

Zipped the file, changed some characters ... Results: EICAR_Test ( modified ).

N/D. [the poster’s shorthand for Not Detected or a similar message]

N/D.

EICAR_Test_File.unknown?

N/D.

N/D.

EICAR-AV-TEST-FILE.

N/D.

N/D.

“Only three AVs are aware of the alteration! Are others using the original ESATF

string as signature? If so, it's not very clever (should they learn about wildcard

string? For the "fun", they could have search for the EICAR? pattern!)...

(Suggests: add NOP, JMP instructions, etc .... Even worse)

He was clearly unaware of the strict specification of the EICAR test file

I LOVE PARIS...

FUN PART 4 OBSCURITY AND THE CITY OF LIGHT

Final presentation at EICAR 2010 (Paris)

Based on one of the PWN2KILL contest attacks

EICAR file not detected by on-demand scan ... When :

When its bytes are changed

When split into two parts

When the EICAR string is incorporated into data

When cryptographic or polymorphic techniques are used

When characters are added to the file.

What the AV industry would have expected of course ...

FUN PART 5 AMTSO STUFF (PART 1)

Feature Setting Check For Desktops

Test if my protection against the manual download of malware

(EICAR.COM) is enabled

Test if my protection against a drive-by download (EICAR.COM) is

enabled

Test if my protection against the download of a Potentially Unwanted

Application (PUA) is enabled

Test if protection against accessing a Phishing Page is enabled

Test if my cloud protection is enabled

FUN PART 5 AMTSO STUFF (PART 2)

Feature Setting Check For Android

Test if my protection against the manual download of malware is

enabled

Test if my protection against a drive-by download is enabled

Test if my protection against the download of a Potentially Unwanted

Application (PUA) is enabled

Test if protection against accessing a Phishing Page is enabled

Conclusion

• EICAR test file is intended as an installation check, not for detection

testing

• Doesn’t prove that product is correctly installed and configured

• It’s detected even on platforms where it can’t execute natively (eg.

Mac OS)

• Tight specification : modification = invalidate the test

• You can use it for testing characteristics/issues related to detection,

but generally inappropriate in a comparative test

• Scanners can behave differently when detecting the EICAR test file

and when detecting real malware

And also…

• How your software is or could be deployed locally (and to a lesser

extent, configured)

• Monitoring or demonstrating incident-handling procedures in the

context of corporate security

As a tool for comparative evaluation, the limitations imposed by its

formal definition, however, we see little use for it in its present form.

• That doesn’t mean that there are maybe other ways to create tools

for product evaluation but this possibility is not handled in this

presentation.

Thanks for your attention

Questions?

Twitter: @EddyWillems

25