Is Linux AV detection fubar?

[CaffeineAddict]

I wrote 'malware' test program that every AV out there should be able to detect as malicious.
Reason for that is that the executable contains an eicar string which is a string that every AV out there recognizes as malware since the invention of the string.

Here is sample program written is assembly:

; eicar.asm
; test malware

; C library
extern printf

global main

section .data
NULL equ 0
NL equ 10
SUCCESS equ 0
msg db "Eicar string is: %s", NL, NULL
eicar db "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*", NULL

section .text
main:
    push rbp
    mov rbp, rsp

    mov rdi, msg
    mov rsi, eicar
    xor rax, rax
    call printf

    mov rax, SUCCESS

    mov rsp, rbp
    pop rbp
    ret

It's totally unbelievable that the assembled file wasn't recognized as malware, here are AV scan results from virus total:

VirusTotal

VirusTotal

www.virustotal.com

Just in case somebody claims that VT is for Windows executables, I also scanned the file locally using clamAV and if also failed to detect it:

user@debian:~/share$ clamscan ./eicar
Loading:    11s, ETA:   0s [========================>]    3.63M/3.63M sigs  
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks

/home/user/share/eicar: OK

----------- SCAN SUMMARY -----------
Known viruses: 3627867
Engine version: 1.4.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.02 MB (ratio 1.00:1)
Time: 15.118 sec (0 m 15 s)
Start Date: 2026:06:09 12:27:11
End Date:   2026:06:09 12:27:26

Can you believe that? only 1 AV detected it.

In case you want to test it your self, save the code as "eicar.asm" and assemble with:

nasm ./eicar.asm -g -F dwarf -X gnu -f elf64

Then link with:

g++ -no-pie ./eicar.o -o eicar.run

You can run it with ./eicar.run to test real time AV or upload the file to malware scan website.

 

[wendy-lebaron]

i don't think it's a good idea to give malcontents. and their "clients" such as the software you mention. more ideas for "purposeful omissions." which are treated as opportunities to profit or to cause damage.

 

[Trml]

Can you believe that?

Fascinating, yes. There are specifications for the string. Your exe is too big, for example.

only 1 AV detected it.

Amusingly, 1 also did not detect the original official eicar text file. You don't work for Crowdstrike, do you?

 

[Mike-BTU]

i don't think it's a good idea to give malcontents. and their "clients" such as the software you mention. more ideas for "purposeful omissions." which are treated as opportunities to profit or to cause damage.

I tend to agree.

I've also seen well-intentioned folks "suggest" or playfully type r m - r (root) for example. You never know what will happen when some innocent person tries that. The result could be a disaster, or lawsuit.

There should be a forum rule against that sort of thing.

 

[CaffeineAddict]

Amusingly, 1 also did not detect the original official eicar text file. You don't work for Crowdstrike, do you?

Looks like I misunderstood how to use the string, AV's detect it only if a file starts with the string.
Still 1 AV detected it anyway.

 

[wizardfromoz]

Still 1 AV detected it anyway.

Care to share?

 

[CaffeineAddict]

Care to share?

See link to VirusTotal in my OP.

 

[Trml]

i don't think it's a good idea to give malcontents. and their "clients" such as the software you mention. more ideas for "purposeful omissions." which are treated as opportunities to profit or to cause damage.

Well, this Eicar test is a long-running industry specification that was specifically designed to safely test functionality of AV software without taking risks. The test is distributed and referenced by AV manufacturers for users, who are admins testing functionality of AV scanners they deploy. It's the one safe way to show an AV software is working (e.g. it really is scanning mail attachments, etc).

That's why the specs are so tight, they don't allow for a malware "disguising" as the test-file, or to test "heuristics" and all sort of new-age snake-oil functionality. And the assembly @CaffeineAddict wrote did not do anything bad. Hence, no reason for an alert. What results showed is the software (bar one goal categorized it right.

 

[Alexzee]

That much of a long list of "undetected" as @CaffeineAddict linked to makes me want to know why it's happening.

Perhaps I'm over thinking but a thief only needs 2 things.
Something to steal and the opportunity to take it.

 

[GatorsFan]

This is from Brave AI

The EICAR test file is not useless, but its utility is often misunderstood because it serves a specific, limited purpose: verifying that antivirus software is installed and active, not that it is effective against real threats.

Correct Use Cases

• Installation Verification: It confirms that an AV solution is running and configured to detect a known standard string.
• Safe Testing: It allows users to test AV behavior (e.g., quarantine actions, notifications) without risking real malware exposure.
• Configuration Checks: It can validate specific settings, such as nested compression scanning levels or email gateway integrations.

Limitations

• Not a Efficacy Test: It does not measure how well an antivirus detects new or complex malware.
• No Currency Check: It does not verify if virus definition databases are up-to-date.
• False Sense of Security: Detection of EICAR does not guarantee protection against actual viruses, as it is a static, well-known string included in almost all modern AV signature files.

In summary, EICAR is a valid installation check but an invalid measure of overall antivirus performance or security posture

 

[Alexzee]

This is from Brave AI

The EICAR test file is not useless, but its utility is often misunderstood because it serves a specific, limited purpose: verifying that antivirus software is installed and active, not that it is effective against real threats.

Correct Use Cases

• Installation Verification: It confirms that an AV solution is running and configured to detect a known standard string.
• Safe Testing: It allows users to test AV behavior (e.g., quarantine actions, notifications) without risking real malware exposure.
• Configuration Checks: It can validate specific settings, such as nested compression scanning levels or email gateway integrations.

Limitations

• Not a Efficacy Test: It does not measure how well an antivirus detects new or complex malware.
• No Currency Check: It does not verify if virus definition databases are up-to-date.
• False Sense of Security: Detection of EICAR does not guarantee protection against actual viruses, as it is a static, well-known string included in almost all modern AV signature files.

In summary, EICAR is a valid installation check but an invalid measure of overall antivirus performance or security posture

Thanks for the clarification.

 

[CaffeineAddict]

That much of a long list of "undetected" as @CaffeineAddict linked to makes me want to know why it's happening.

According to wikipedia @Trml posted:

According to EICAR's specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string.

Means that AV's are not required to detect it somewhere inside an executable.
The string is supposed to be the whole executable, not used as a payload.

 

[theLegionWithin]

the problem with AV is that if the definitions dont exist or do but cant detect a specific trigger then the AV might as well not exist. AV is a reactionary response to a threat.

I prefer to be proactive whenever possible (not always possible though, as with the recent AUR poisoning issue) - safe browsing, avoiding untrustworthy domains, not installing random software from random sources, etc. basic stuff.

personally I've never really trusted AV solutions - and, since dropping winOS, never even tried to look at linux-based AV solutions. I'm not an Enterprise level/business user (lol at home, I totally am at work) so AV isnt something I think about.

 

[CaffeineAddict]

Since this string doesn't work the way I need it, maybe someone knows of an alternative that can be used to test AV?
It has to be possible to insert it into an executable.

edit:
I've edited thread title to make this a question instead of claiming anything.

 

[Trml]

Since this string doesn't work the way I need it, maybe someone knows of an alternative that can be used to test AV?

The Eicar test is at least available in as a com file to download (.com, zip, .txt): https://www.eicar.org/download-anti-malware-testfile/

I won't tell you news, that exe files have a header that make them incompatible with the spec, but com are executable as well. I'm not aware of another method.