How to test threat detection using EICAR test file via HTTP
76058
Created On 08/25/20 02:34 AM - Last Modified 08/13/24 19:20 PM
Symptom
Eicar.org used to provide the following HTTP links to download Eicar test file.
http://2016.eicar.org/download/eicar.com
http://www.eicar.org/download/eicar.com
Some customers kept the links and try to download the files using the links. When Eicar test file is downloaded using the HTTP links above, it is not detected on the firewall by either "Eicar File Detected(39040)" (Type: vulnerability) or "Eicar Test File(100000)" (Type: vulnerability).
This started happening since around the middle of July 2020.
Cause
A change was made on Eicar.org around the middle of July 2020.
Here's the screenshot of the portal site (https://www.eicar.org/?page_id=3950).
(Screenshot was taken on Aug 25 2020)
Eicar.org changed the behavior to redirect all 'http' requests to 'https'. (It may change again in the future.)
This can be confirmed by running a curl command or by looking at a packet capture.
$ curl http://2016.eicar.org/download/eicar.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://www.eicar.org/download/eicar.com">here</a>.</p> </body></html> |
Resolution
Since the traffic is redirected to https, SSL decryption is necessary to detect Eicar test file on the firewall.
As a workaround, please use your own server. For example, if you already have a web server (Apache, Nginx, etc), place the Eicar test file on the server and download it through the firewall using http.
If you do not have any server to use, but if you have a PC that runs Python, simple web server can be used.
Python2:
$ sudo python -m SimpleHTTPServer 80
Python3:
$ sudo python -m http.server 80