POLICY-OTHER eicar test string download attempt

This alert is triggered when detecting an attempt to download or transfer the EICAR test file. The EICAR test string is used to test the responsiveness of computer antivirus programs. It poses no security risk but triggers antivirus software in the same manner as a real virus. This alert may be triggered when an adversary is attempting to test the effectiveness or presence of an antivirus solution on a system by trying to download or transfer the EICAR test string.

ID Number

37732

Signature

alert tcp any any -> any any (msg:"POLICY-OTHER eicar test string download attempt"; flow:established; file_data; content:"7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:37732; rev:4;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

It is recommended to verify whether this activity was a legitimate test performed by an authorized individual or team within your organization. If not, this could indicate suspicious activity, and the source of this traffic should be further investigated.