Didier Stevens

Friday 4 December 2009

Quickpost: New EICARgen Version

Filed under: My Software,Quickpost — Didier Stevens @ 14:58

I never expected to release a new version of EICARgen, but I’m forced to: EICARgen.exe generates just too many false positives.

The new version contains the EICAR string an XOR-encode string (key 0xFF). It has only a couple of detections. Kaspersky and VBA32 shouldn’t actually detect this. EICAR clearly specifies that the presence of the EICAR test string inside a file (like an executable) shouldn’t be detected. As to why AVG needs to detect EICAR test file droppers, I have no idea…

Quickpost info


  1. while it’s true that the specs for eicar say that any file that starts with the specified 68 characters should be detected, that doesn’t preclude them from detecting droppers.

    it’s reasonable to assume that some anti-malware programs will detect not only known malware but also generically detect droppers of known malware, which would apply to this case.

    maybe instead of a dropper you should try a downloader (perhaps that’s why downloaders rose to prominence).

    Comment by kurt wismer — Friday 4 December 2009 @ 22:16

  2. Good point, a generic dropper signature could explain what AVG does. And I could also use a downloader, thanks for the tip.

    Comment by Didier Stevens — Saturday 5 December 2009 @ 9:40

  3. my eicar source @ http://corkami.blogspot.com/2009/12/this-is-not-virus.html

    Comment by Ange — Thursday 7 January 2010 @ 13:33

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.