What is the Eicar testfile?

If you would like to test Apple's XProtect system, you can now safely do so with the latest definitions update.

When Apple updates its XProtect anti-malware system in OS X with new definitions, it often means a new or updated threat has been found for OS X.

Earlier this morning, Apple issued an update to XProtect, which now includes a new definition for a malware package called "OSX.eicar.com.i," that comes from Eicar.com. This update suggests the new definitions are for a novel malware package, but this is not so with this latest update.

"Eicar" stands for the European Institute for Computer Antivirus Research, which is a group that investigates malware and security issues, and maintains an anti-malware test file for testing various antivirus utilities. The testfile is a simple text file called "eicar.com" that contains the following ASCII string, which when saved and scanned with antivirus utilities, should show a positive result for malware:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This ASCII string is actually a DOS program that should print out the string "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" when run on a DOS system.

XProtect update showing Eicar definitions
The new XProtect update includes definitions for OSX.eicar.com.i. Screenshot by Topher Kessler/CNET

This test file is just one of many out there, which are generated by security companies to allow people to more safely test their software without using true malware.

Are definitions for the testfile needed?
The file is intended to serve as a test for antivirus utilities without the need to pass live threats back and forth between systems. Many security software vendors create such files for checking their software, as doing so is far safer than issuing live malware packages to be detected on a test system.

Since the file is simply a test, having definitions to single it out are not needed by a system like Apple's XProtect. However, having the definitions available do allow a user to run the testfile through the XProtect system and see if the system is running properly. The file is ultimately available to be detected, so even though having static definitions for the file itself bypass any behavioral analysis features, it does serve to show XProtect is active and working.

XProtect detecting Eicar test file
If you download the "eicar.com" file from the Eicar Web site and try to open it, you will be met with an XProtect error that warns you of potential harm. Screenshot by Topher Kessler/CNET

Therefore, if you download the file from the Eicar Web site and try to open it in a program like TextEdit, XProtect will prevent you from doing so and issue a warning that the file will harm your system. Even though this is an incorrect assessment, it shows that XProtect is able to see the file, associate definitions to it, and properly block it from being opened.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments