It is amazing that so many people *think* that they know how
to use the EICAR test file without knowing the very first thing about the file. If
you do not know that detection of the EICAR test file is a false positive then
you do not know the very first thing about the file.
The EICAR test file was designed as a deliberate false positive. It
drives me nuts when I see someone write “this product can’t even detect EICAR.”
Guess what, no product has to. Perhaps the vendor chose not to. It is a choice
that does not say anything about quality. It literally is saying that a product
sucks because it did not use a string signature.
If a product you test does not detect the EICAR test file,
the first step is to find out if it is designed to. If not, then the test is
not applicable to your product. If your product is designed to detect the file
and it does not, you just learned what the file was designed to indicate. You
have a problem. The problem may actually be a corrupted installation, a
conflict with another product, or some other problem.
If you do not understand that the EICAR test file is a false
positive, then please read EICAR– The Most Common False Positive in the World. And then share it
with people who try to extrapolate anything about product quality from EICAR
detection.
Randy Abrams
Senior Security Analyst
Webroot
Nice article as well as whole site.Thanks for sharing.
ReplyDelete