Is it possible to change the string of EICAR file?



  • Is it possible to change the string of EICAR file and still detectable?

    For example, print "KGMAL" instead of "EICAR".



  • Eicar.org defines the 68-byte string as the detectable "virus":

    Any anti-virus product that supports the EICAR test file should
    detect it in any file providing that the file starts with the 
    following 68 characters, and is exactly 68 bytes long:
    
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    
    The first 68 characters is the known string. 
    

    They do allow for limited expansion of the file:

    It may be optionally appended by any combination of whitespace
    characters with the total file length not exceeding 128 characters.
    The only whitespace characters allowed are the space character,
    tab, LF, CR, CTRL-Z.
    

    But it's fair to say that any modification of the initial 68 bytes used in the definition will harm recognition of the file by antivirus vendors. I suppose it's possible that some vendors may match a subset of that 68 bytes, but it's not likely.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2