Testing Product Operation

The EICAR (European Institute for Computer Anti-Virus Research) test helps testing operation of anti-virus programs that detect viruses using signatures. This test was designed specifically so that users could test reaction of an installed anti-virus to detection of viruses without putting their computers at risk.

Although the EICAR test program is actually not malware, it is treated by the majority of anti-viruses as a virus. Dr.Web anti-virus products report the following upon detection of this “virus”: EICAR Test File (NOT a Virus!). Other anti-virus tools alert users in a similar way. The EICAR test program is a 68-byte .com file for MS-DOS/Windows that outputs the following message to the console or to the terminal screen when running:

EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

The test program body contains only text characters that form the following string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

If you create a text file consisting of the string above, a program detected as a “virus” will be created.

If Dr.Web for Linux operates correctly, this file must be detected during a file system scan regardless of the scan type and the user must be notified of the detected threat: EICAR Test File (NOT a Virus!).

An example of the command that checks operation of Dr.Web for Linux using the EICAR test program:

$ tail /opt/drweb.com/share/doc/drweb-se/readme.eicar | grep X5O > testfile && drweb-ctl scan testfile && rm testfile

This command extracts the string that represents the body of the EICAR test program from the file /opt/drweb.com/share/doc/drweb-se/readme.eicar (supplied with Dr.Web for Linux), writes it to a file named testfile created in the current directory, scans the resulting file and removes it afterwards.

The abovementioned test requires write access to the current directory. In addition, make sure that it does not contain a file named testfile (if necessary, change the file name in the command).

If a test “virus” is detected, the following message is displayed:

<path to the current directory>/testfile - infected with EICAR Test File (NOT a Virus!)

If an error occurs during the test, refer to the description of known errors.

If the SpIDer Guard file monitor is enabled, the file can be immediately deleted or quarantined upon detection of the threat (depending on the configuration of the component). In this case, the rm command will inform that the file is missing, which implies that the monitor operates correctly.