Thursday, September 6, 2018

You Suck. You Can’t Even Detect EICAR!


It is amazing that so many people *think* that they know how to use the EICAR test file without knowing the very first thing about the file. If you do not know that detection of the EICAR test file is a false positive then you do not know the very first thing about the file.

The EICAR test file was designed as a deliberate false positive. It drives me nuts when I see someone write “this product can’t even detect EICAR.” Guess what, no product has to. Perhaps the vendor chose not to. It is a choice that does not say anything about quality. It literally is saying that a product sucks because it did not use a string signature.

If a product you test does not detect the EICAR test file, the first step is to find out if it is designed to. If not, then the test is not applicable to your product. If your product is designed to detect the file and it does not, you just learned what the file was designed to indicate. You have a problem. The problem may actually be a corrupted installation, a conflict with another product, or some other problem.

If you do not understand that the EICAR test file is a false positive, then please read EICAR– The Most Common False Positive in the World. And then share it with people who try to extrapolate anything about product quality from EICAR detection.

Randy Abrams
Senior Security Analyst
Webroot