I copied that string to a Notepad doc, saved it to the desktop and opened it. Webroot detected the file as Malware, quarantined the file, ran a 2nd scan all clean and alerted via email. All good so I thought.
The next day though I was alerted again that the system I tested on encountered an threat and the threat reported was the same eicar.txt file.
Download Eicar.txt
The eicar.txt file is in quarantine still. In I manually run a scan on the system it does not detect anything. Yet, I still am getting these emails sent out and the console is reporting that the system is still infected - when it isn't.
In reading the McAfee doc, they were saying the their software would not report that it had cleaned the test file because there actually is no infection. I think the same kind of thing is happening here with Webroot where it detected the eicar.txt file, quarantined the file but could not clean and so the console still things the machine is infected.
Today Webroot is still reporting the system is infected with that eicar.txt file - which now no longer exists in quarantine. The file no longer exists anywhere and yet Webroot still thinks the system is infected with the original eicar.txt test.
Likewise it should be possible to embed eicar.txt inside a PDF however detection again would not mean the av is scanning for JavaScript exploitation, just that the plain text signature is seen in a PDF file, thus only hints that a PDF is scanned.
I stored an eicar.txt file on the samba share (Windows 2080 R2 Server) and tried to copy it to my mac and it was copied without issues. Server and my test mac are connected using IPSec through two FGs, both ends have AV scanning on. Why wasn't the test file caught?
de7ca951e2