EICAR Is Just the Beginning — Test What Your AV Actually Misses
Your antivirus catches the EICAR test string. Congratulations — that proves signature scanning is on. Now test the other 90% of your threat detection stack.
The Problem with Stopping at EICAR
Every security team runs the EICAR test. It's the first thing you do when deploying endpoint protection or a new gateway AV. Download the file, confirm it gets caught, check the box. Move on.
But here's what EICAR actually proves: your antivirus can match a known 68-character string against a signature database. That's it. It tells you nothing about whether your security stack can detect heuristic malware patterns, behavioral ransomware indicators, or exploit payloads that don't match any existing signature.
Modern threats don't look like EICAR. They look like PowerShell scripts downloading payloads. They look like VBScript files encrypting directories. They look like OLE documents triggering buffer overflows. If you're only testing with EICAR, you're testing 1% of your detection capabilities and assuming the other 99% works.
5 Threat Categories, Not Just 1
ITSecTools includes EICAR because it's the baseline — you should always start there. But it also provides four additional test categories that most tools don't offer, each designed to validate a different layer of your threat detection stack:
1. EICAR Standard Files (.com, .txt, .zip) — The baseline. Tests signature-based scanning across three delivery formats. The ZIP variant specifically tests whether your AV decompresses archives before scanning — a common gap at the gateway level.
2. Heuristic Malware Samples — Files containing patterns that resemble real malware tools — credential dumping strings, PowerShell download cradles, and encoded command patterns. These don't match any specific virus signature. They test whether your AV uses heuristic or behavioral analysis to flag suspicious content, not just signature matching. This is where most endpoints fail.
3. Ransomware Simulator Scripts — Harmless VBScript, Batch, and PowerShell files that mimic ransomware behavior patterns — file enumeration, extension checks, encryption-like operations. Tests whether your endpoint protection detects ransomware behavioral indicators before encryption actually starts.
4. OLE ActiveX Exploit — An OLE compound document containing patterns matching CVE-2012-0158, a buffer overflow in MSCOMCTL.ListView. Tests whether your gateway or endpoint detects known exploit payloads embedded in document formats.
5. ANI Cursor Exploit — A RIFF/ACON file matching CVE-2007-0038, a Windows animated cursor vulnerability. Tests detection of exploit content in non-standard file formats that many AV engines skip during content inspection.
The Heuristic Detection Gap — Where Most Endpoints Fail
Here's a pattern we see constantly: an organization passes the EICAR test with flying colors, reports "AV is working" to leadership, and then gets hit by a fileless attack that their endpoint never flagged.
The reason is simple. EICAR tests signature matching — the AV checks a file against a database of known bad patterns. Modern threats use living-off-the-land techniques — PowerShell scripts, WMI calls, legitimate system tools repurposed for malicious activity. There's no "virus signature" to match because the individual components are legitimate tools.
The heuristic malware samples in ITSecTools are designed to trigger this exact detection layer. They contain patterns that look like malicious activity without being actual malware. If your endpoint catches them, your heuristic engine is working. If they download without any alert, you have a detection gap that EICAR alone would never reveal.
This is the real value of going beyond EICAR. You're not just confirming that scanning is turned on — you're mapping the boundaries of what your detection engine can actually see.
Gateway vs Endpoint — Test Both
The threat tests in ITSecTools are served over HTTPS. This immediately tests two things: your gateway AV (firewall or proxy) and your endpoint AV. And it exposes a gap that many teams don't realize exists.
If your firewall has SSL decryption enabled, the gateway should catch the threat file before it reaches the endpoint. You'll see a block page or a connection reset. If SSL decryption is not enabled, the gateway sees only encrypted traffic — the threat file passes through the firewall invisibly, and only the endpoint AV has a chance to catch it.
Run each test category from machines on different network segments. A common finding: the security team's VLAN has full protection, but the guest Wi-Fi or a branch office subnet has no gateway scanning at all.
What Your Results Tell You
EICAR blocked, everything else passes: Signature scanning works, but heuristic and behavioral detection is disabled or ineffective. Your endpoint will miss zero-day threats and fileless attacks.
EICAR + heuristic samples blocked, ransomware passes: Good detection for static file analysis, but behavioral monitoring is weak. Ransomware-like activity (file enumeration, mass rename patterns) goes undetected.
Everything blocked at gateway: Excellent. Your firewall has SSL decryption, signature scanning, heuristic analysis, and exploit detection all active. Your gateway is doing the heavy lifting.
Nothing blocked at all: Check SSL decryption first — without it, HTTPS downloads are invisible to your gateway. Then verify endpoint AV real-time protection is enabled.