How to test if your Anti-virus program is legitimate

WARNING!!!
This will pop alerts in legitimate antivirus and End Point Detection Systems, so I do not recommend testing this in a corporate environment!

There are a lot of fake antivirus programs out there and even some websites are forcing users to install various antivirus software to protect them from threats.

you might already have an antivirus installed, a paid or a free version, or you are just using windows defender :D

No offense but, there’s a saying, if windows defender says a file is malicious, its definitely malicious! :D

I’m not going to go in detail about Windows defender, but there’s actually a way to test if your antivirus solution is actually worth having, and is capable of detecting threats as it claims, or if its a Trojan.

you can test if your antivirus program catches malware by actually exploding a malware in your PC (NOT RECOMMENDED!) or you can create a test file to test the theory!

Using real viruses for testing in the real world is rather like setting fire to the dustbin in your office to see whether the smoke detector is working. Such a test will give meaningful results, but with unappealing, unacceptable risks.

EICAR Standard Anti-Virus Test File

This test file is safe to distribute since it is not a virus and contains no viral code fragments.
Most AV products react to it as if it were a virus (though they usually report it with a descriptive term like “EICAR-AV-Test”).

In fact, you can simply open a notepad, paste the following exactly as it is and save, and if your antivirus is too good, it will detect it as a threat as soon as you save!

Additional values (other characters, spaces, or return marks) will generate a different hash and your test file will not be effective.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

You can save this as “eicar.com”. When run, the file is a legal DOS application that gives useful results (it outputs the message “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!”).

Got flagged in a trial version of a well known AV
Hash of eicar.com:
SHA-256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
MD5: 44D88612FEA8A8F36DE82E1278ABB02F
SHA-1: 3395856CE81F2B7382DEE72602F798B642F14140

It is also short and easy — in fact, it is entirely made up of readable ASCII characters and can be simply written using a standard text editor.
Any anti-virus solution that supports the EICAR test file should identify it in any file that begins with the 68 characters listed below and is precisely 68 bytes long:

The known string consists of the first 68 characters.
It may optionally be followed by any combination of whitespace characters, with the overall file length not exceeding 128 characters.
The only whitespace characters permitted are the space character, tab, LF, CR, and CTRL-Z.

To keep things simple, the file only utilizes upper case letters, numerals, and punctuation marks, with no spaces.

The only thing to keep in mind while entering in the test file is that the third character is the capital letter “O,” not the numeral zero.

If the scanner is good, it will detect the virus’ in a single zip archive and maybe even a double zip archive.

Once found, the scanner may prevent you from accessing the file(s).
The scanner may not even allow you to erase the files.

This is triggered by the scanner, which quarantines the file.
The test file will be treated the same as any other virus-infected file.

If you learnt something new, consider following me from
>> Hasanka Amarasinghe <<
to help the algorithm :)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store