If organizations want to test the ThreatDown malware protection for validation purposes, they may prefer to use a harmless test file. The European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) created an EICAR test file specifically for testing against malware scanning engines.
The EICAR test files can be downloaded from the following link: https://www.eicar.org/download-anti-malware-testfile/.
ThreatDown detects EICAR for Windows, macOS and Linux operating systems. Proceed with the steps below to test EICAR.
Steps for testing EICAR
Windows
- Download the EICAR test files.
- Initiate a threat scan from the console or the endpoint and wait for the scan to complete. The EICAR files should be quarantined and report the detection to Nebula as EICAR-AV-Test.
- If the eicar.com file is not detected, verify the Nebula exclusions do not include the test directory location.
- If the eicar.com.zip is not detected, ensure that the scan setting Scan the contents of compressed folders (e.g. .zip, .rar. etc.) is enabled for Windows in the corresponding Nebula policy.
- If Defender is enabled, it may quarantine the EICAR test files as they are downloaded before the ThreatDown scan runs. Allow the file through Defender so ThreatDown can scan it.
macOS
Testing EICAR in macOS requires the test file to be placed in a specific directory. The reason for this requirement in macOS is that these are test files and scanning an entire drive for test files in macOS would cause scan times to increase.
- Download the EICAR test file.
- Create the directory /Users/Shared/Malwarebytes/ on the test endpoint. This can be done via Terminal using the command below. Terminal commands are case-sensitive.
mkdir -p /Users/Shared/Malwarebytes/
- Move the EICAR test file to the newly created directory. This can also be done using the Terminal command below.
mv ~/Downloads/eicar.com.txt /Users/Shared/Malwarebytes/
If real-time protection is enabled, the EICAR detection should trigger immediately when the test file is moved to the directory. If real-time protection is disabled in the corresponding Nebula policy, initiate a threat scan from the console or the endpoint.
The detection is reported in Nebula as EICAR-AV-Test.
Linux
- Download the EICAR test files
- Initiate a threat scan via Terminal or Nebula. A threat scan via Terminal would use the command mblinux scan. For additional Linux commands, see Commands for Nebula Linux endpoints.
- When the scan completes, the files are quarantined and appear in Nebula detections as Linux.EICAR.AVTest.
For additional questions regarding the EICAR test file, contact Support for assistance.