This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||
|
I am wondering whether it is actually ok to include the file itself here? isn't it copyrighted by eicar or whoever created it? or is too short to be copyrightable at all? i would be very happy if anyone could shed some light on this... User:RobertLemmen —Preceding unsigned comment added by 93.97.72.81 ( talk) 20:03, 19 March 2010 (UTC)
Please give the date (preferably in a signature) and nature of the scan (i.e. plaintext, encrypted, hdd, email, ...). Be sure to fully update your software so that your signed date is accurate.
The one thing this article doesn't tell me is *why* AV programs pick it up. Are they specially taught to recognise this string, or is there something inherently "virus-like" in the file? When you think about it, since the file *is* benign, there's no particular reason they should do anything about it. It's like calling the fire brigade to tell them you're about to set off the fire alarm, then complaining when they don't show up. Stevage 13:48, 9 August 2006 (UTC)
What does this sentance mean? Regards, Ben Aveling 05:17, 28 November 2006 (UTC)
I have restored this sentence, because it was very significative to my understanding of the EICAR file itself.
The executable code should end with two assembly language instructions: INT 0x21, INT 0x20, which respectively means "print that string" and "end". However, the instruction code for INT is 0xCD, which is not an ASCII character available from keyboard (though it is printable).
The actual file ends with the four-byte instruction pair DEC AX; SUB CX,[BX+SI+2A], which is responsible for the H+H* substring.
The EICAR file overwrites these last four bytes, in order to get the 0x21, 0x20 sequence. Most of the previous code (before the string offset) is only purposed for modifying this bytes (and passing the parameters to INT 21h).
Initial condition: AX=0 (I don't know why... it seems to be a
precondition)
CS:0101 354F21 XOR AX,214F //AX=214F CS:0104 50 PUSH AX CS:0105 254041 AND AX,4140 //AX=0140 CS:0108 50 PUSH AX CS:0109 5B POP BX //BX<-AX
Now we have BX=0140
CS:010A 345C XOR AL,5C CS:010C 50 PUSH AX CS:010D 5A POP DX CS:010E 58 POP AX CS:010F 353428 XOR AX,2834 CS:0112 50 PUSH AX CS:0113 5E POP SI
At this point we have SI = 097B (the code is weird because the keyboard-ASCII requirement).
CS:0114 2937 SUB [BX],SI
word ptr [BX] contains 2B48, hence 2B48-097B = 21CD (note the bytes are reverted within the word).
CS:0116 43 INC BX CS:0117 43 INC BX CS:0118 2937 SUB [BX],SI
Increment BX by 2, and repeat the trick. Now word ptr [BX] contains 2A48, hence 2B48-097B = 20CD.
CS:011A 7D24 JGE 0140
This condition always evaluates true. The string EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$ is stored in CS:011B through CS:0139.
CS:0140 CD21 INT 21 CS:0142 CD20 INT 20
Voilà!
Rjgodoy ( talk) 09:48, 25 March 2008 (UTC)
The Adoption section says that one Antivirus/Antimalware/EDR product doesn't detect it - Malwarebytes. However, it does seem to both detect and block the file, even if it doesn't show on VirusTotal
2603:6011:9403:B900:C917:690F:57A0:8737 ( talk) 12:02, 10 May 2022 (UTC)
EICAR ever make one for newer OSes? If so, can someone from EICAR add it to the article? Interestingly, there's a malware called "Emptyspace" that is a text file that looks blank but is in fact executable. Not sure if that should be mentioned as it uses a similar technique. 74.196.181.80 ( talk) 16:57, 12 February 2024 (UTC)
This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||
|
I am wondering whether it is actually ok to include the file itself here? isn't it copyrighted by eicar or whoever created it? or is too short to be copyrightable at all? i would be very happy if anyone could shed some light on this... User:RobertLemmen —Preceding unsigned comment added by 93.97.72.81 ( talk) 20:03, 19 March 2010 (UTC)
Please give the date (preferably in a signature) and nature of the scan (i.e. plaintext, encrypted, hdd, email, ...). Be sure to fully update your software so that your signed date is accurate.
The one thing this article doesn't tell me is *why* AV programs pick it up. Are they specially taught to recognise this string, or is there something inherently "virus-like" in the file? When you think about it, since the file *is* benign, there's no particular reason they should do anything about it. It's like calling the fire brigade to tell them you're about to set off the fire alarm, then complaining when they don't show up. Stevage 13:48, 9 August 2006 (UTC)
What does this sentance mean? Regards, Ben Aveling 05:17, 28 November 2006 (UTC)
I have restored this sentence, because it was very significative to my understanding of the EICAR file itself.
The executable code should end with two assembly language instructions: INT 0x21, INT 0x20, which respectively means "print that string" and "end". However, the instruction code for INT is 0xCD, which is not an ASCII character available from keyboard (though it is printable).
The actual file ends with the four-byte instruction pair DEC AX; SUB CX,[BX+SI+2A], which is responsible for the H+H* substring.
The EICAR file overwrites these last four bytes, in order to get the 0x21, 0x20 sequence. Most of the previous code (before the string offset) is only purposed for modifying this bytes (and passing the parameters to INT 21h).
Initial condition: AX=0 (I don't know why... it seems to be a
precondition)
CS:0101 354F21 XOR AX,214F //AX=214F CS:0104 50 PUSH AX CS:0105 254041 AND AX,4140 //AX=0140 CS:0108 50 PUSH AX CS:0109 5B POP BX //BX<-AX
Now we have BX=0140
CS:010A 345C XOR AL,5C CS:010C 50 PUSH AX CS:010D 5A POP DX CS:010E 58 POP AX CS:010F 353428 XOR AX,2834 CS:0112 50 PUSH AX CS:0113 5E POP SI
At this point we have SI = 097B (the code is weird because the keyboard-ASCII requirement).
CS:0114 2937 SUB [BX],SI
word ptr [BX] contains 2B48, hence 2B48-097B = 21CD (note the bytes are reverted within the word).
CS:0116 43 INC BX CS:0117 43 INC BX CS:0118 2937 SUB [BX],SI
Increment BX by 2, and repeat the trick. Now word ptr [BX] contains 2A48, hence 2B48-097B = 20CD.
CS:011A 7D24 JGE 0140
This condition always evaluates true. The string EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$ is stored in CS:011B through CS:0139.
CS:0140 CD21 INT 21 CS:0142 CD20 INT 20
Voilà!
Rjgodoy ( talk) 09:48, 25 March 2008 (UTC)
The Adoption section says that one Antivirus/Antimalware/EDR product doesn't detect it - Malwarebytes. However, it does seem to both detect and block the file, even if it doesn't show on VirusTotal
2603:6011:9403:B900:C917:690F:57A0:8737 ( talk) 12:02, 10 May 2022 (UTC)
EICAR ever make one for newer OSes? If so, can someone from EICAR add it to the article? Interestingly, there's a malware called "Emptyspace" that is a text file that looks blank but is in fact executable. Not sure if that should be mentioned as it uses a similar technique. 74.196.181.80 ( talk) 16:57, 12 February 2024 (UTC)