What is the EICAR Test File?

If you've just integrated malware scanning into your app, you need a way to test it. But uploading actual malware to verify things work isn't exactly ideal. That's the problem the EICAR test file solves.

EICAR stands for the European Institute for Computer Antivirus Research. Back in the early days of antivirus software, they worked with vendors to create a standardised test file — a harmless file that every antivirus engine agrees to detect as malicious. It gives you a safe way to confirm that your scanning pipeline is working end to end.

What's in the file?

The EICAR file is a valid DOS executable (a .com file). When run on Windows, it simply prints EICAR-STANDARD-ANTIVIRUS-TEST-FILE! and exits. That's it — nothing harmful.

The file contents are a single line of printable ASCII characters:

Because it's plain text, you could type it out yourself if you wanted to. The important thing is that antivirus engines worldwide recognise this specific string and flag it as a detection, making it the standard way to test that scanning is working.

Why it matters for your integration

A lot of our customers come to us after a pen test where one of the checks was "Test Upload of Malicious Files" — listed in the OWASP security testing guide. The tester uploaded a file, the app accepted it without flagging anything, and the check failed.

If that sounds familiar, our guide on how to scan user uploads for malware covers the full integration — from choosing between sync and async scanning to deciding where files should land.

The EICAR file is the simplest way to verify your scanning integration works. Upload it through your app the same way a user would upload a file, and confirm that it gets caught.

Testing with AttachmentScanner

We host a copy of the EICAR file at https://www.attachmentscanner.com/eicar.com so you can test without having to create the file yourself.

To scan it via the API, just pass the URL:

curl -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{"url": "https://www.attachmentscanner.com/eicar.com"}' \
  -H "Content-Type: application/json" \
  -XPOST https://YOUR_API_URL/v1.0/scans

You'll get back a response like this:

{
  "status": "found",
  "url": "https://www.attachmentscanner.com/eicar.com",
  "filename": "eicar.com",
  "content_length": 70,
  "matches": [
    "Eicar-Test-File-Signature"
  ]
}

A status of found means the file was detected — exactly what you want to see. If you get ok instead, something in your integration isn't wired up correctly.

The EICAR string should also be detected inside compressed or archived files (ZIP, GZIP, etc.) and even when embedded in other content that our scanning engines can read. This makes it useful for testing that your integration handles nested files correctly too.

What EICAR doesn't test

It's worth noting that EICAR is a signature-based detection test. It confirms your scanning pipeline is connected and working, but it doesn't tell you much about detection quality. Every engine detects EICAR — that's the point. Real-world malware detection depends on the engines themselves, which is why AttachmentScanner uses multiple commercial-grade engines rather than relying on any single one.

Think of EICAR as a smoke test for your integration, not a benchmark for your security.

Next steps

If you're setting up scanning for the first time, our getting started guide walks through the full integration. You can also test things out using our Postman collection if you prefer a visual tool.

If you've got questions, get in touch — we're always happy to help.