Testing Symantec Scan Engine 5.x with the EICAR test virus

Article:TECH134229  |  Created: 2010-01-24  |  Updated: 2010-01-24  |  Article URL http://www.symantec.com/docs/TECH134229
Article Type
Technical Solution


Issue



What to expect when testing Symantec Scan Engine 5.x with the Eicar test virus?


Solution



Symantec Scan Engine is able to catch the eicar test string in a file, the eicar string being, "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* ". Although this eicar test file cannot have any characters before the eicar string, or it will no longer be considered the eicar test virus and will not be caught by Symantec Scan Engine. The only characters that can be placed after the eicar string are space characters, tab, LF, CR, but the total length of the file cannot exceed 128 characters, or again it will no longer be considered the eicar test virus and will not be caught by Symantec Scan Engine.



Technical Information
This is a quote from the eicar site, and what to expect from AV products that support the eicar test virus,


“Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. “



Legacy ID



2010062413254754


Article URL http://www.symantec.com/docs/TECH134229


Terms of use for this information are found in Legal Notices