Can I change the EICAR string file?
Is it possible to change the string of an EICAR file and still detect it?
Eicar.org defines the 68-byte string as the detectable "virus":
Any anti-virus product that supports the EICAR string test file should
detect it in any file providing that the file starts with the
following 68 characters, and is exactly 68 bytes long:
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The first 68 characters are the known string.
They do allow for limited expansion of the file:
It may be optionally appended by any combination of whitespace
characters with the total file length not exceeding 128 characters.
The only whitespace characters allowed are the space character,
tab, LF, CR, CTRL-Z.
But it's fair to say that any modification of the initial 68 bytes used in the definition will harm recognition of the file by antivirus vendors. I suppose it's possible that some vendors may match a subset of that 68 bytes, but it's not likely.
Any anti-virus product that supports the EICAR string test file should
detect it in any file providing that the file starts with the
following 68 characters, and is exactly 68 bytes long:
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The first 68 characters are the known string.
They do allow for limited expansion of the file:
It may be optionally appended by any combination of whitespace
characters with the total file length not exceeding 128 characters.
The only whitespace characters allowed are the space character,
tab, LF, CR, CTRL-Z.
But it's fair to say that any modification of the initial 68 bytes used in the definition will harm recognition of the file by antivirus vendors. I suppose it's possible that some vendors may match a subset of that 68 bytes, but it's not likely.