Attachment: EICAR String Present

calendar Aug 21, 2023 · EICAR  ·
Share on: linkedin copy

This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.

For performance reasons, this rule is limited to attachments with "eicar" in the file name.

Sublime rule (View on GitHub)

 1name: "Attachment: EICAR String Present"
 2description: |
 3  This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.
 4
 5  For performance reasons, this rule is limited to attachments with "eicar" in the file name.  
 6references:
 7  - "https://www.eicar.org/download-anti-malware-testfile/"
 8  - "https://delivr.to/payloads?id=bd6f4ec2-ef6b-4bd0-b5c7-4a9532aba783"
 9type: "rule"
10authors:
11  - twitter: "ajpc500"
12severity: "low"
13source: |
14  type.inbound
15  and any(attachments, strings.icontains(.file_name, "eicar"))
16  and any(attachments,
17          any(file.explode(.),
18              any(.scan.strings.strings,
19                  strings.icontains(.,
20                                    'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
21                  )
22              )
23          )
24  )  
25tags:
26  - "EICAR"
27attack_types:
28  - "Malware/Ransomware"
29detection_methods:
30  - "File analysis"
31id: "592e2319-9e4f-5e3d-9b34-22259ddc3416"
to-top