I'm posting this here since programmers write viruses, and AV software. They also have the best knowledge of heuristics and how AV systems work (cloaking etc).
The EICAR test file was used to functionally test an antivirus system. As it stands today almost every AV system will flag EICAR as being a "test"
virus. For more information on this historic test
virus please click here.
Currently the EICAR test file is only good for testing the presence of an AV solution, but it doesn'
t check for engine file or DAT file up-to-dateness. In other words, why do a functional test of a system that could have definition files that are more than 10 years old. With the increase of zero day threats it doesn'
t make much sense to functionally test your system using EICAR.
That being said, I think EICAR needs to be updated/modified to be effective test that works in conjunction with an AV management solution.
This question is about real world testing, without using live viruses... which is the intent of the original EICAR.
That being said I'm proposing a new EICAR file format with the appendage of an XML blob that will conditionally cause the Antivirus engine to respond.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-EXTENDED-ANTIVIRUS-TEST-FILE!$H+H*
<?xml version="1.0"?>
<engine-valid-from>2010-1-1Z</engine-valid-from>
<signature-valid-from>2010-1-1Z</signature-valid-from>
<authkey>MyTestKeyHere</authkey>
In this sample, the antivirus engine would only alert on the EICAR file if both the signature or engine file is equal to or newer than the valid-from date. Also there is a passcode that will protect the usage of EICAR to the system administrator.
If you have a backgound in "Test Driven Design" TDD for software you may get that all I'm doing is applying the principals of TDD to my infrastructure.
Based on your experience and contacts how can I make this idea happen?
