Why are Eicar Files Allowed to Download and Execute?
search cancel

Why are Eicar Files Allowed to Download and Execute?

book

Article ID: 285115

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Why are eicar files allowed to download and execute?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Supported Versions

Resolution

  • The sensor does not block downloads of malicious files, it blocks execution. 
  • However, eicar files must be opened by a known script host (e.g. python.exe, cmd.exe, powershell.exe, excel.exe, etc, ) in order for execution to be blocked. If the eicar is opened by notepad, or mspaint, the eicar would not be intepreted as a script or executed as such. 
  • Eicar files are designed for Windows OS, so it is not suitable for testing in other OS.

Additional Information

A script host or command interpreter is an executable that reads code from another file and executes it.