Endpoint Detection & Response - Testing Malware Detection

By Corey Willis

Malware detection testing using the EICAR test file

The EICAR (European Institute for Computer Anti-Virus Research) test file can be used to test Kandji EDR to ensure it has been deployed correctly and working properly. The EICAR test file is a non-malicious file that can be safely downloaded on any Mac. For more information on the Anti-Malware Test File, please visit EICAR’s Anti-Malware Test File web page.

Before You Begin

  • Ensure that the Avert Library Item has been successfully applied to the device by confirming that a green dot is visible next to the Avert Library item located within the Status tab of a Device Record.

Option 1: Download and prep the EICAR test file using Terminal

  1. Open Terminal
  2. Run the following command to download the EICAR test file directly from EICAR onto your Desktop:
    curl "https://secure.eicar.org/eicar.com" -s -o ~/Desktop/eicar_test
  3. Run the following command to insert a shebang (no interpreter needed) on line 1 of the text file:
    sed -i '' '1s/^/#!\n/' ~/Desktop/eicar_test
  4. Run the following command to make the file executable:
    chmod +x ~/Desktop/eicar_test
The shebang (#!) in step #3, is used to tell macOS which interpreter to use to parse the proceeding commands of a script. For this test, an intrepreter is not needed.

Option 2: Manually build the EICAR test file

  1. Create a new empty text file using a text editor such as VS Code or Sublime Text.
  2. Copy and paste the following two lines to the text file:
    #!X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  3. Save the text file to the Desktop on your Mac and name the file eicar_test
  4. Open Terminal and run the following command to make the file executable:
    chmod +x ~/Desktop/eicar_test
The 68-character string in step #2 is the string that is in EICAR's test file.

Expected Result

Malware posture mode in the Avert Library Item set to Detect mode

Kandji EDR will detect the EICAR test file and report it with a status of ‘Not quarantined’ in the Threats module located in the left-hand navigation bar and the Threats tab of a Device Record.

Malware posture mode in the Avert Library Item set to Protect mode

Kandji EDR will detect and automatically quarantine the EICAR test file within seconds of adding the executable bit to the file and will be reported with a status of ‘Quarantined’ in the Threats module located in the left-hand navigation bar and in the Threats tab of a Device Record.