What is the EICAR test file and how does it work?

Antivirus software is a key component of any decent cybersecurity strategy, whether it’s used to protect a large organization or a personal device from external attacks. There are hundreds of antivirus software solutions out there, and most of them work on the same basic principle: they detect, quarantine, and remove malicious code.


But is there a way to check if an antivirus program is working properly? The answer is yes, and it involves something called an EICAR test file.


What is the EICAR test file?

In simple terms, EICAR test file is a computer file that was developed to test the response of anti-virus (anti-malware) products. It is not a real computer virus, but it mimics malware and thus allows for safe and effective testing.

The EICAR test file was developed by the European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO). Both organizations have been around since the early 1990s and focus on malware research.

How to test your antivirus with the EICAR test file

To download the EICAR test file and check if your antivirus is good, go to eicar.org. The site provides four different files to download: eicar.com, eicar.com.txt, eicar_com.zip, and eicarcom2.zip. It is strongly recommended that you download each one and let your antivirus do what it is supposed to do.

The first file, eicar.com, is 68 bytes long and contains the following ASCII string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*. The second file is a copy of this file, with a different filename. The third file, eicar_com.zip, is a ZIP archive file that has to be unzipped to access the actual “virus.” The fourth file contains the third file. So, in eicarcom2.zip, the EICAR test file itself is hidden beneath two layers of ZIP files.

If you try to download any of these files and your antivirus software blocks the download, then it is doing its job properly. However, if you really want to test it, disable your antivirus for a moment, download the fourth file (the one that has two ZIP layers), and then scan it to see whether the product you’re using is capable of penetrating through these multiple layers and detecting what is supposed to be malicious code.

Good antivirus software will immediately detect and then quarantine or delete the EICAR test file.

What if your antivirus does not detect the EICAR test file?

If your antivirus package doesn’t detect the EICAR test file for some reason, it’s most likely not good enough, not working properly, or simply hasn’t been updated in quite some time. However, there are some exceptions. For example, Malwarebytes, which is a good and reliable anti-malware product, does not always recognize the EICAR test file as malicious.

Malwarebytes said in 2016 that “detecting EICAR strings means nothing in terms of testing a product’s real-world effectiveness against threats.” According to the company, the EICAR experiment can only show whether an antivirus program can use a pattern-matching signature, but even if it can, that doesn’t mean it can stop more sophisticated malware attacks that employ certain signature obfuscation and evasion techniques.

How to test your antimalware software

Malwarebytes’ review may have some merit, but other than that, the EICAR test file can still come in handy when it comes to testing your antivirus software’s response to potential threats.

Still, it goes without saying that you should stay away from suspicious websites, avoid downloading anything from unknown sources and never click on suspicious links or email attachments.

Regardless of the anti-malware product you use, be sure to update it regularly and keep an eye on the latest trends in cybersecurity. All that said, there are other ways to test antivirus software without putting your device or personal information at risk.

Leave a Comment