There’s a very simple anti-virus testing tool I’ve programmed years ago, and I just realize I’ve never
published it. So here goes.
EICARgen is just a program that creates the EICAR Anti-Virus test file.
The EICAR Anti-Virus test file is 68 bytes long, and it will cause all Anti-Virus software to trigger a virus alert. Of course, this EICAR file is not a virus, it’s just an industry-standard test file. The EICAR file is only detected by Anti-Virus software that supports the EICAR file, but I’m not aware of any that doesn’t.
The EICAR Anti-Virus test file is great to test your Anti-Virus software, but it’s not easy to handle, because your Anti-Virus software keeps deleting it 
Being a developer, I came up with my own solution to this problem: I wrote a program that would just create the EICAR Anti-Virus test file when I need it.
My program itself is not detected by Anti-Virus software, because
- Anti-Virus software that fully complies with EICAR does only trigger an alert for a 68 bytes long EICAR Anti-Virus test file, not for larger files containing the 68 bytes EICAR sequence
- my program does not contain an exact copy of the EICAR sequence
EICARgen is a Windows console application. Start it without arguments, and it will create eicar.com in the working directory and then exit.
Start it with a filename as argument, and it will create the EICAR test file with the name you specified.
Compiled with Borland’s free C++ 5.5 compiler.
Download:
MD5: 690228946E90C7AD4ED2E9250DFCF7A2
[...] PDF, Quickpost — Didier Stevens @ 8:54 I like to embed the EICAR Anti-Virus test file in usual formats and less usual formats. Today, I’m publishing a PDF document with an embedded EICAR test file [...]
Pingback by Quickpost: eicar.pdf « Didier Stevens — Tuesday 20 May 2008 @ 8:54
Can you obfuscate the virus code in the software i.e. split the line into say 5 pieces in wrong order and only assemble on program execution. Avast says your eicargen file is a virus.
Comment by Andrew — Wednesday 17 September 2008 @ 19:29
Avast says: Win32:Trojan-gen {Other}
That’s strange…
Comment by Didier Stevens — Friday 19 September 2008 @ 12:59
I filed a bug report with AVAST and they have updated their virus sig so it won’t be detected as a virus. I used virustotal.com to check and it says it is not a virus anymore. See http://www.virustotal.com/analisis/79564320564a016f159f9adb8ea55847 for the report.
Comment by Andrew — Thursday 25 September 2008 @ 9:46
Great!
Comment by Didier Stevens — Thursday 25 September 2008 @ 13:11
Probably AVAST recognized your program as a virus generator and classified it as malware.
Now wait until Google ranks this very URL with the alert “This site may damage your computer”.
Comment by D0R — Thursday 6 November 2008 @ 13:58
Microsoft Security Essentials found the “Trojan:Win32/Meredrop” in EICARgen.exe when extacting the zip-file.
Even before I could test the EICAR Anti-Virus test file, at least MSE is doing it’s job.
Comment by Jan — Thursday 22 October 2009 @ 13:25
Interesting, thanks for the heads-up.
Comment by Didier Stevens — Thursday 22 October 2009 @ 15:39