╔═══════════════════════════════════════
║ Instructions - Antimalware On-Access Scanner Test - Self-Contained
┌───────────────────────────────────────
│ Plainspeak
• This document allows you to immediately test your antimalware software's on-access scanner:
· Without configuring antimalware exclusions.
· Without accessing the EICAR web site.
· Without accessing the Internet.
· Using the 'Run' dialog, the command line, or a Windows shortcut.
• This document, itself, will not be detected as an EICAR threat despite the apparent EICAR string contained within it.
· The inert EICAR variant string in this document contains two caret characters '^', whereas EICAR contains only one.
· Do not alter the inert EICAR variant string in this document or in the command lines indicated.
• This inert EICAR variant test may be executed using utilities such as Windows Scheduled Tasks, psexec.exe, login script, etc., to canvass an organization for antimalware on-access scanner health.
┌───────────────────────────────────────
│ References
• EICAR
• EICAR Anti-malware Test File
┌───────────────────────────────────────
│ Test Using the 'Run' Dialog or cmd.exe Prompt
• In the 'Run' dialog box, execute:
%COMSPEC% /C "ECHO X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >%TEMP%\EICAR.EXE"
· A detection should result if exclusions and scan categories do not deliberately prevent scanning of the target file.
· The antimalware on-access scanner should eventually detect the target file after any configured write-scan delay interval passes.
· Some antimalware software will not generate a user alert for quickly-repeated identical detections generated within a short time period.
· Verify any quickly-repeated detections within the antimalware software's log files.
• The command can be reissued from the cmd.exe buffer.
┌───────────────────────────────────────
│ Test Using a Windows Shortcut
• In File Explorer, create a new Windows shortcut: PSPro's.EICAR.Test.Generator
· In the Target field, enter:
%COMSPEC% /C "ECHO X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >%TEMP%\EICAR.EXE"
· In the 'Start in' field, enter: %WINDIR%
· Click: OK
• Optional:
· Assign a distinctive icon to the Windows shortcut from a Windows icon resource file present and resolvable on all Windows systems.
· Recommended: imageres.dll, fourth page, top row, red shield with white 'x' marking.
• In File Explorer, execute the Windows shortcut.
· A detection should result if exclusions and scan categories do not deliberately prevent scanning of the target file.
· The antimalware on-access scanner should eventually detect the target file after any configured write-scan delay interval passes.
· Some antimalware software will not generate a user alert for quickly-repeated identical detections generated within a short time period.
· Verify any quickly-repeated detections within the antimalware software's log files.
• This Windows shortcut may be executed from any local or shared file system location.
┌───────────────────────────────────────
│ Test Steps Explained
• %COMSPEC% /C "<content below>"
· Start the command interpeter (cmd.exe), execute the content within double-quotes, and then exit.
• ECHO X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >%TEMP%\EICAR.EXE
· The command interpreter (cmd.exe) creates the target file '%TEMP%\EICAR.EXE' using the EICAR variant string as input.
· cmd.exe's escape character is the caret.
· The EICAR variant string contains two carets.
· One caret will be removed by cmd.exe as an escape character.
· cmd.exe creates the target file content with one caret.
· This effectively 'reconstitutes' the true, detectable EICAR string within the target file content.
┌───────────────────────────────────────
│ Credits
Any external referenced material in this document is hyperlinked. Authors responsible for referenced work should be sought through the reference(s) listed.
I am Christopher Etter, a Professional Services consultant.
Because you are using this, I welcome you as my customer. These documents are free for you to use. I work diligently to serve you with material such as this. I would appreciate it if PSPRO (professionalservices.pro), my name, and this 'Credits' section remain attached to this work so that I accrue name recognition via your success and peer recommendation. Thank you very much, and I hope this document helps you solve your current information technology issue!