Linux AV detection is fubar

[CaffeineAddict]

I wrote 'malware' test program that every AV out there should be able to detect as malicious.
Reason for that is that the executable contains an eicar string which is a string that every AV out there recognizes as malware since the invention of the string.

Here is sample program written is assembly:

; eicar.asm
; test malware

; C library
extern printf

global main

section .data
NULL equ 0
NL equ 10
SUCCESS equ 0
msg db "Eicar string is: %s", NL, NULL
eicar db "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*", NULL

section .text
main:
    push rbp
    mov rbp, rsp

    mov rdi, msg
    mov rsi, eicar
    xor rax, rax
    call printf

    mov rax, SUCCESS

    mov rsp, rbp
    pop rbp
    ret

It's totally unbelievable that the assembled file wasn't recognized as malware, here are AV scan results from virus total:

VirusTotal

VirusTotal

www.virustotal.com

Just in case somebody claims that VT is for Windows executables, I also scanned the file locally using clamAV and if also failed to detect it:

user@debian:~/share$ clamscan ./eicar
Loading:    11s, ETA:   0s [========================>]    3.63M/3.63M sigs   
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks

/home/user/share/eicar: OK

----------- SCAN SUMMARY -----------
Known viruses: 3627867
Engine version: 1.4.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.02 MB (ratio 1.00:1)
Time: 15.118 sec (0 m 15 s)
Start Date: 2026:06:09 12:27:11
End Date:   2026:06:09 12:27:26

Can you believe that? only 1 AV detected it.

In case you want to test it your self, save the code as "eicar.asm" and assemble with:

nasm ./eicar.asm -g -F dwarf -X gnu -f elf64

Then link with:

g++ -no-pie ./eicar.o -o eicar.run

You can run it with ./eicar.run to test real time AV or upload the file to malware scan website.

 

[wendy-lebaron]

i don't think it's a good idea to give malcontents. and their "clients" such as the software you mention. more ideas for "purposeful omissions." which are treated as opportunities to profit or to cause damage.

 

[Trml]

Can you believe that?

Fascinating, yes. There are specifications for the string. Your exe is too big, for example.

only 1 AV detected it.

Amusingly, 1 also did not detect the original official eicar text file. You don't work for Crowdstrike, do you?

 

[Mike-BTU]

i don't think it's a good idea to give malcontents. and their "clients" such as the software you mention. more ideas for "purposeful omissions." which are treated as opportunities to profit or to cause damage.

I tend to agree.

I've also seen well-intentioned folks "suggest" or playfully type r m - r (root) for example. You never know what will happen when some innocent person tries that. The result could be a disaster, or lawsuit.

There should be a forum rule against that sort of thing.

 

[CaffeineAddict]

Amusingly, 1 also did not detect the original official eicar text file. You don't work for Crowdstrike, do you?

Looks like I misunderstood how to use the string, AV's detect it only if a file starts with the string.
Still 1 AV detected it anyway.

 

[wizardfromoz]

Still 1 AV detected it anyway.

Care to share?

 

[CaffeineAddict]

Care to share?

See link to VirusTotal in my OP.

 

[Trml]

i don't think it's a good idea to give malcontents. and their "clients" such as the software you mention. more ideas for "purposeful omissions." which are treated as opportunities to profit or to cause damage.

Well, this Eicar test is a long-running industry specification that was specifically designed to safely test functionality of AV software without taking risks. The test is distributed and referenced by AV manufacturers for users, who are admins testing functionality of AV scanners they deploy. It's the one safe way to show an AV software is working (e.g. it really is scanning mail attachments, etc).

That's why the specs are so tight, they don't allow for a malware "disguising" as the test-file, or to test "heuristics" and all sort of new-age snake-oil functionality. And the assembly @CaffeineAddict wrote did not do anything bad. Hence, no reason for an alert. What results showed is the software (bar one goal categorized it right.