Attachment: EICAR String Present
This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.
For performance reasons, this rule is limited to attachments with "eicar" in the file name.
Sublime rule (View on GitHub)
1name: "Attachment: EICAR String Present"
2description: |
3 This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.
4
5 For performance reasons, this rule is limited to attachments with "eicar" in the file name.
6references:
7 - "https://www.eicar.org/download-anti-malware-testfile/"
8 - "https://delivr.to/payloads?id=bd6f4ec2-ef6b-4bd0-b5c7-4a9532aba783"
9type: "rule"
10authors:
11 - twitter: "ajpc500"
12severity: "low"
13source: |
14 type.inbound
15 and any(attachments, strings.icontains(.file_name, "eicar"))
16 and any(attachments,
17 any(file.explode(.),
18 any(.scan.strings.strings,
19 strings.icontains(.,
20 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
21 )
22 )
23 )
24 )
25tags:
26 - "EICAR"
27attack_types:
28 - "Malware/Ransomware"
29detection_methods:
30 - "File analysis"
31id: "592e2319-9e4f-5e3d-9b34-22259ddc3416"