EICAR test file and its modifications
March 25, 2022
ID 17365
This test file was developed by (The European Institute for Computer Antivirus Research) for the testing of anti-virus products.
The test file IS NOT A VIRUS because it does not contain code that can harm your computer. However, most anti-virus products identify this file as a virus.
Never use real viruses to test the operation of an anti-virus product!
You can download the test file from the official web site of EICAR at http://www.eicar.org/anti_virus_test_file.htm.
Before you download the file you must disable the computer’s anti-virus protection, otherwise the application will identify and process the file anti_virus_test_file.htm as an infected object transferred via the HTTP protocol.
Do not forget to enable the anti-virus protection immediately after you download the test file.
The application identifies the files downloaded from the EICAR site as an infected object containing a virus that cannot be disinfected and performs the actions specified for such an object.
You can also modify the standard test file to verify the operation of Kaspersky Anti-Virus. To do so, change the content of the standard file by adding one of the prefixes to it (see table below). You can use any text or hypertext editor to create modifications of the test file.
You can verify that the anti-virus application works properly using the modified EICAR file only if your anti-virus databases were last updated on or after October 24, 2003 (October, 2003 cumulative updates).
In the table below, the first column contains the prefixes that must be added at the start of the standard test file string. The second column lists the possible status values that Kaspersky Anti-Virus can assign to the object, based on the results of the scan. The third column indicates how the application processes objects with the specified status. Note that actions on objects are defined by the settings in Kaspersky Anti-Virus.
After you have added a prefix to the test file, save the new file under a different name, for example: eicar_dele.com. Assign similar names to all modified test files.
Test file modifications
Prefix | Object status | Object processing information |
|---|---|---|
No prefix, standard test file. | Cannot be disinfected. Object contains code of a known virus. You cannot disinfect the object. | Kaspersky Anti-Virus identifies this object as a virus that cannot be disinfected and takes the appropriate action. |
CORR- | Corrupted. | Kaspersky Anti-Virus was able to access the object, but unable to scan it because the object is corrupted (for example, the file structure is corrupted or file format is invalid). |
ERRO- | Scanning error. An error occurred during a scan of an object. | Kaspersky Anti-Virus could not gain access to the object: the object is invalid (for example, a multi-volume archive has no end) or no connection can be established with the object. |
CURE- | Disinfectable. Object contains code of a known virus. | Object contains a virus that can be disinfected. Kaspersky Anti-Virus disinfects the object; the text of the test file body is replaced with the word CURE. |
