Linux AV detection is fubar

[CaffeineAddict]

I wrote 'malware' test program that every AV out there should be able to detect as malicious.
Reason for that is that the executable contains an eicar string which is a string that every AV out there recognizes as malware since the invention of the string.

Here is sample program written is assembly:

; eicar.asm
; test malware

; C library
extern printf

NULL equ 0
NL equ 10
SUCCESS equ 0

global main

section .data
msg db "Eicar string is: %s", NL, NULL
eicar db "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*", NULL

section .text
main:
    push rbp
    mov rbp, rsp

    mov rdi, msg
    mov rsi, eicar
    xor rax, rax
    call printf

    mov rax, SUCCESS

    mov rsp, rbp
    pop rbp
    ret

It's totally unbelievable that the assembled file wasn't recognized as malware, here are AV scan results from virus total:

VirusTotal

VirusTotal

www.virustotal.com

Just in case somebody claims that VT is for Windows executables, I also scanned the file locally using clamAV and if also failed to detect it:

user@debian:~/share$ clamscan ./eicar
Loading:    11s, ETA:   0s [========================>]    3.63M/3.63M sigs    
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks

/home/user/share/eicar: OK

----------- SCAN SUMMARY -----------
Known viruses: 3627867
Engine version: 1.4.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.02 MB (ratio 1.00:1)
Time: 15.118 sec (0 m 15 s)
Start Date: 2026:06:09 12:27:11
End Date:   2026:06:09 12:27:26

Can you believe that? only 1 AV detected it.

In case you want to test it your self, save the code as "eicar.asm" and assemble with:

nasm ./eicar.asm -g -F dwarf -X gnu -f elf64

Then link with:

g++ -no-pie ./eicar.o -o eicar.run

You can run it with ./eicar.run to test real time AV or upload the file to malware scan website.