← Back to Explore
sublimelowRule
Attachment: EICAR string present
This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities. For performance reasons, this rule is limited to attachments with "eicar" in the file name.
Detection Query
type.inbound
and any(attachments, strings.icontains(.file_name, "eicar"))
and any(attachments,
any(file.explode(.),
any(.scan.strings.strings,
strings.icontains(.,
'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
)
)
)
)
Author
ajpc500
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
EICAR
Raw Content
name: "Attachment: EICAR string present"
description: |
This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.
For performance reasons, this rule is limited to attachments with "eicar" in the file name.
references:
- "https://www.eicar.org/download-anti-malware-testfile/"
- "https://delivr.to/payloads?id=bd6f4ec2-ef6b-4bd0-b5c7-4a9532aba783"
type: "rule"
authors:
- twitter: "ajpc500"
severity: "low"
source: |
type.inbound
and any(attachments, strings.icontains(.file_name, "eicar"))
and any(attachments,
any(file.explode(.),
any(.scan.strings.strings,
strings.icontains(.,
'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
)
)
)
)
tags:
- "EICAR"
attack_types:
- "Malware/Ransomware"
detection_methods:
- "File analysis"
id: "592e2319-9e4f-5e3d-9b34-22259ddc3416"