From TNPC issue #3.24...

Safely Testing Your AntiVirus Package with the EICAR Test File

by Lee Hudspeth
November 30, 2000

Have you ever tested your anti-virus software?

I recently upgraded from Norton AntiVirus 2000 version 6.0 to Norton AntiVirus 2001 version 7.0. While configuring the new version, I remembered having previously tested one or more anti- virus packages using the EICAR anti-virus test file, and set about to remember what it was I did before. ("EICAR" stands for European Institute for Computer Anti-Virus Research.) Sadly, Norton's help file doesn't get you very far on search terms like "test", "probe", or "validate". You have to open up the Readme.txt to find it.

That file states, "To create a harmless text file that will be detected as a virus, which you can use to verify detection of viruses, logging, and alert functioning, visit this site:"
http://www.TheNakedPC.com/t/324/tr.cgi?eicar1

Also, a quick search on the Internet like this:

+"anti-virus" +"test file"

will take you right where you need to go.

As you read the aforementioned Web page, you can learn about the history behind the obvious need for an innocuous anti-virus test file. The really fun part is downloading the four versions of the EICAR test file and scanning them to see how well your anti-virus program performs. Here are descriptions of the four files, and the test results on my production PC. (Test configuration: Windows 98 SE 4.10.2222 A and Norton AntiVirus 2001 version 7.00.51F with auto-protect and email protection features turned on.)

1. Eicar.com -- a legitimate DOS program that actually produces sensible results when you run it; it contains the EICAR test string.

RESULT:  Norton passed.

When I started the download Norton correctly halted the download, produced an alert that the file was infected with "EICAR Test String.68", and recommended that I repair the infected file.

2. Eicar.com.txt -- a copy of EICAR.com with a different filename; according to EICAR, "[provided because] some readers reported problems when downloading the first file, which can be circumvented when using the second version."

RESULT:  Norton passed.

Immediately upon renaming the file to EICAR.com, same results as #1 above.

3. Eicar_com.zip -- contains the test file inside a zip; use to test your anti-virus program's ability to see a virus inside an archive.

RESULT:  Norton passed.

When I scanned the folder containing the archive, Norton correctly reported an infection with "EICAR Test String.68". Clicking the "Virus Info" button reports, "THIS IS NOT A VIRUS. The EICAR Test File is an internationally recognized, non-virus code string included for analysis purposes only. Again, THIS IS NOT A VIRUS."

4. Eicarcom2.zip -- contains the third file (EICAR_com.zip) inside a zip; use to test your anti-virus program's ability to see a virus inside a multi-level archive.

RESULT:  Norton passed.

When I scanned the folder containing the archived archive, Norton behaved correctly just as it did with file #3.

Drop me a line and let me know how your anti-virus program fares against these EICAR test files.

Norton Anti-Virus at Amazon.com:
http://www.TheNakedPC.com/t/324/tr.cgi?amazon1

You can reach Lee Hudspeth at:
mailto:leehudspeth@TheNakedPC.com

Return to Top

TNPC Hot Tips:

• Email out of control? Spam filling your inbox? People trying to steal your identity? Same here - until I applied these tips. You can too in a new multimedia e-book. Tame Your Email.

• DO YOU MAKE THESE MONEY MISTAKES? Do you know that trying to pay off your high interest rate debts first and/or paying extra on more than one debt is the SLOWEST way to get out of debt? Don't make these same mistakes. Learn more at by clicking here...