What to expect when testing Symantec Protection Engine (SPE) with the Eicar test virus?
EICAR is an industry standard way to insert an antivirus test at the beginning of a file.
Symantec Protection Engine is able to catch the EICAR test string in a file, the EICAR string being, "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* ". This test file cannot have any characters before the EICAR string, or it will no longer be considered the EICAR test virus and will not be caught by Symantec Protection Engine. The only characters that can be placed after the EICAR string are space characters, tab, LF, or CR. The total length of the file cannot exceed 128 characters, or again it will no longer be considered the EICAR test virus and will not be caught by Symantec Protection Engine.
If a file is a container file, you can download eicar.com or eicar.com.zip from the EICAR web site, then insert eicar.com or eicar.com.zip into that container file using the methods which are detailed for that particular file format. For instance, you could insert eicar.com into a MS Word document by attaching it with the MS Word editor. Many file formats, such as various graphic file formats, don't accept attaching other files.
This is a quote from the eicar site, and what to expect from AV products that support the eicar test virus,
“Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:
The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. “
Example of EICAR detection from ssecls tool shown in the raw SSEYYYYMMDD.log file:
165xxxx969|2|2|3|8|2|3|no_path|4|eicar.com|5|4|6|eicar.com|7|0|9|EICAR Test String|10|11101|21|0|124|0|39|10.25.204.179|17|0.785|18|0.801|43|10.255.2.157|44|1344|45|1302784|64|NA|66|NA|65|0|67|NA|68|High|69|High|70|High|71|High|72|High|81|131f95c51cc819465fa1797f6ccacf9d4xxxxaff46fa3eac73ae63ffbdfd8267|120|165592xxxx834|121|renbdl997137-01|123|12580
The ICAP Conversation as seen on a packet capture. This is with the replacement file set to false. (sends a 403)
RESPMOD icap://127.0.0.1:1344/AVSCAN?action=SCANREPAIRDELETE ICAP/1.0
Encapsulated: req-hdr=0, res-hdr=56, res-body=103
GET http://scapi.symantec.com/eicarcom2.zip HTTP/1.1
HTTP/1.1 200 OK
........(<.QhD...D... ......... .......eicar.comPK..........7...k.....PK....
ICAP/1.0 403 Forbidden.
Date: Wed Sep 20 19:18:27 2023 GMT
Service: Symantec Protection Engine/184.108.40.206
Service-ID: Respmod AV Scan
X-Infection-Found: Type=0; Resolution=2; Threat=Trojan.Gen.NPE.2;
Same log entry displayed by logconverter tool:
Wed Jun 22 11:52:49 Pacific Daylight Time 2022, An infection has been found, Event Severity Level = Warning, Scan Rule = Repair or delete Threats, URL = no_path, File name = eicar.com, File status = BLOCKED, Component name = eicar.com, Component disposition = INFECTED, Virus name = EICAR Test String, Virus ID = 11101, Virus definitions = 0, File Detection Level = 0, Client IP = 10.25.204.179, Scan Duration (sec) = 0.785, Connect Duration (sec) = 0.801, Symantec Protection Engine IP address = 10.255.2.157, Symantec Protection Engine Port number = 1344, Uptime (in seconds) = 1302784, Uber Category = NA, Sub Category Name = NA, Sub Category ID = 0, Sub Category Description = NA, Cumulative Risk Rating = High, Performance impact = High, Privacy impact = High, Ease of removal = High, Stealth = High, File SHA256 value = 131f95c51cc819465fa1797f6ccacf9d494xxxxf46fa3eac73ae63ffbdfd8267, Date/time of event(with millisec) = 1655923969834, Symantec Protection Engine Host Name = renbdl997137-01, Process ID = 12580