About Malware Detection Testing
The EICAR (European Institute for Computer Anti-Virus Research) test file can be used to test Iru Endpoint EDR to ensure it has been deployed correctly and working properly. The EICAR test file is a non-malicious file that can be safely downloaded on any Mac. For more information on the Anti-Malware Test File, please visit EICAR’s Anti-Malware Test File web page.How It Works
Malware detection testing using the EICAR test file provides a safe and standardized method to validate that Iru Endpoint EDR is functioning correctly. The EICAR test file is specifically designed to trigger malware detection systems without posing any actual security risk, making it ideal for testing both Detect and Protect posture modes.Prerequisites
- EDR Library Item Deployment: Ensure that the EDR Library Item has been successfully applied to the device by confirming that a green dot is visible next to the EDR Library Item located within the Status tab of a Device Record
Option 1: Download EICAR Test File Using Terminal
1
Open Terminal
Open Terminal.
2
Download EICAR File
Run the following command to download the EICAR test file directly from EICAR onto your Desktop:
Option 2: Manually Build the EICAR Test File
1
Create Text File
Create a new empty text file using a text editor such as VS Code or Sublime Text.
2
Add EICAR String
Copy and paste the following two lines to the text file:
3
Save File
Save the text file to the Desktop on your Mac and name the file eicar_test
The 68-character string in step #2 is the string that is in EICAR’s test file.
Expected Results
Detect Mode Configuration
Iru Endpoint EDR will detect the EICAR test file and report it with a status of ‘Not quarantined’ in the Threats module located in the left-hand navigation bar and the Threats tab of a Device Record.
Protect Mode Configuration
Iru Endpoint EDR will detect and automatically quarantine the EICAR test file within seconds of adding the executable bit to the file and will be reported with a status of ‘Quarantined’ in the Threats module located in the left-hand navigation bar and in the Threats tab of a Device Record.
Considerations
- Safe Testing: The EICAR test file is completely safe and non-malicious, designed specifically for testing anti-malware systems without posing any security risk
- Posture Mode Testing: Test both Detect and Protect modes to ensure proper configuration and functionality of your EDR Library Item settings
- Detection Timing: In Protect mode, quarantine should occur within seconds of the file becoming executable, demonstrating real-time protection capabilities
- Status Verification: Always verify the threat status in both the main Threats module and individual device records to confirm proper detection and reporting
- Regular Testing: Incorporate EICAR testing into your regular security validation procedures to ensure ongoing EDR functionality
- False Positive Prevention: The EICAR test file is specifically designed to trigger detection without causing false positives in legitimate security tools
- Documentation: Keep records of your EICAR testing results as part of your security compliance and audit documentation
- Team Training: Use EICAR testing as a training tool to help security teams understand threat detection and response workflows
- Integration Validation: Ensure that EICAR detections properly integrate with your existing security workflows and notification systems
- Baseline Establishment: Use successful EICAR testing to establish a baseline for your EDR deployment before implementing additional security measures