Standard issue nowadays: As many technologies, as many products, as many tests.

How does the user know that their security application, say their antivirus product, works and that the appropriate actions are taken by the antivirus product? An ‘easy’ but less secure and non-advisable way is to send yourself a virus by email or to launch it on your corporate network. However, the email containing the virus might already be intercepted at an ISP level or, as a last resort at the gateway or mail-server.

Besides that, what if the antivirus product fails and the virus goes undetected. Havoc could be caused on your network. The EICAR test file was created to cover that problem. It’s a harmless file, consisting of only ASCII characters but still executable. The definition is pretty strict. The main purpose of the EICAR test file is the ability to see if the antivirus product is installed and detects this specific test file. By general consensus, all antivirus vendors have agreed that this file can be detected although it is harmless, and if it is, it should be treated as a virus. This means the user can see if the antivirus product is active and takes the appropriate selected actions.

To counter a common misconception: detection of the EICAR test-file is NOT an assurance that your antivirus product detects each and every virus. By their own choice, there are antivirus vendors that have chosen not to detect the EICAR test file for their own reasons. All Norman products having the Norman Scanner Engine incorporated are detecting the EICAR test file.

Another initiative launched on 4 May to ‘aid’ the end-user testing their spyware is the SpyCar Project. By their own definition, SpyCar is a suite of tools designed to mimic spyware-like behavior, but in a benign form. Intelguardians created SpyCar so anyone could test the behavior-based defenses of an antispyware tool.

After going through the welcome screen and the EULA (End User License Agreement), the user ends up at the actual test page. This is where the SpyCar project differs from the EICAR test file. The test files in the SpyCar project will actually alter your system. Fair enough, your antispyware should block these attempts, but this is not the way to prove your antispyware program is working.

What if the antispyware isn’t working, and for other reasons, you can not get to the TowTruck utility that supposedly cleans up the changes made by SpyCar? Not imaginable as the TowTruck utility is an executable downloaded from the Internet and many corporations rightfully block the direct download of executables at their gateway.

Also, the actions made by SpyCar are rather generic. Changing ones default homepage in Internet Explorer is something lots of end-users do willingly and automatically by clicking on a link at their favorite homepage. The same applies for changing the default search page. These action are not necessarily made by spyware or adware.

Creating a test to see if your antispyware product is working is not done by mimicking spyware-alike activity. It might be possible if the appropriate actions are taken to get them accepted, as with the EICAR test file. Then there has to be an industry-wide consensus to detect these test files, there have to be strict definitions on these test files, etc. As long as this is not done, it is rather dangerous to rely on these test files. The test files may be incorporated within viruses or other malware. Those antispyware applications that do detect these tests inside the malicious files might announce the malicious file harmless when detecting the ‘recognized’ test.

To have these tests on a webpage is dangerous. The website may be hacked and the files might be replaced with harmful content. Given, this may happen to the EICAR test file as well, but since the definition is strict and widely spread, and since file consists of ASCII characters only, everyone can verify that the EICAR test file is legitimate.

As the test files of the SpyCar Project are all executables, these will also start to wander around the Internet and will be found at other ‘security’ websites. Of course there is no way to tell if these are the same and if they have not been infected with a virus.

The authors have realized this as they have added the next disclaimer on the download page:

Intelguardians cannot be held responsible if these files and/or your anti-spyware tool in combination with these files cause any damage to your computer. You download and run these files at your own risk. Download and run these files only if you are sufficiently knowledgeable in the usage of your anti-spyware tool and operating system. Intelguardians cannot and will not provide any help to remove these files or the changes they cause from your computer. Please contact the manufacturer of your anti-spyware tool to seek such help.

Another downside of SpyCar is that it fully concentrates on Internet Explorer and does not focus on other popular browsers as Firefox and Opera. The EICAR test file is antivirus platform independent. The call for a test file for antispyware has been increasing lately. EICAR will change the description of the EICAR testfile from an antivirus to an antimalware test file. The definition and the contents of the 68 byte file stay the same. This can not be changed without causing world-wide problems in the antivirus industry.

As it seems, the authors of the SpyCar project are legitimate and sincere in their attempt. However, they did not really look at the potential problems that this may cause. Norman therefore likes to specifically point out that visiting the SpyCar project pages and trying the SpyCar tests are fully at your own responsibility. Norman does not and can not guarantee and proper functionality of the test files or the TowTruck cleanup utility.

As always Norman will closely monitor this project and the generated test files to see what happens in the future.