The rule detects the presence of the Eicar test file, a known signature used to simulate malware activity, indicating potential adversarial testing or false positive generation. SOC teams should proactively hunt for this behavior to identify and mitigate potential false positives or early-stage adversary testing within their Azure Sentinel environment.
YARA Rule
rule eicar
{
meta:
description = "Rule to detect Eicar pattern"
author = "Marc Rivero | @seifreed"
hash1 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
strings:
$s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Eicar test file used for malware testing
Filter/Exclusion: Exclude files with the string “Eicar” in their filename or content if they are known test files (e.g., Eicar.com, EicarTest.exe) used by tools like Malwarebytes, Kaspersky, or Bitdefender for validation purposes.
Scenario: Scheduled system integrity check or disk cleanup job
Filter/Exclusion: Exclude processes associated with Windows Defender, Sysinternals tools (e.g., sfc.exe, dism.exe), or PowerShell scripts running during scheduled maintenance tasks that may temporarily generate Eicar-like patterns.
Scenario: Internal tool or script using Eicar pattern for testing
Filter/Exclusion: Exclude traffic or processes from internal development tools like Postman, curl, or Python scripts that intentionally use the Eicar test string for unit testing or validation of malware detection systems.
Scenario: Log file parsing or data processing tool generating Eicar-like content
Filter/Exclusion: Exclude logs generated by ELK Stack, Splunk, or Logstash when parsing or processing files that may contain the Eicar test string as part of their data format or encoding.
Scenario: Admin task using Eicar pattern for educational purposes
Filter/Exclusion: Exclude processes initiated by Windows Admin Center, PowerShell ISE, or Command Prompt when administrators manually test malware detection rules using the Eicar test file.