For people who have virus scanners, there is the EICAR file that they can use to test that their virus scanner is working.
While XProtect is not a true virus scanner, I would like to know if there is a file like EICAR for the Mac OS that simulates the same thing. How do I know that it's running while I am browsing the web?
XProtect will detect the EICAR test file. Download the following file:
Try to open it, and when it asks what app you want to open it with, select a text editor. At that point, XProtect should jump in and prevent it from opening:
Of course, it won't actually damage your computer, since it's just an EICAR test file and not actual malware. However, this does demonstrate accurately what would happen if you downloaded and tried to open a malicious executable file.
I just downloaded it and TextWrangler opened it just fine. Here are its contents:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Should I be worried?
Best
J
John Whitehead wrote:
Should I be worried?
No, looks like that's normal... or, at least, that's happening for me as well in Yosemite. The eicar definition is still present in XProtect, but it looks like Yosemite is not checking that file against the definition... probably because it's not identified as containing executable code, which it doesn't. I don't know whether Apple has simply forgotten about supporting the eicar file or what. I'll report this to the product security team.
thomas_r. wrote:
I'll report this to the product security team.
How does one do that?
Thanks!
thomas_r. wrote:
XProtect will detect the EICAR test file. Download the following file:
Try to open it, and when it asks what app you want to open it with, select a text editor. At that point, XProtect should jump in and prevent it from opening:
Of course, it won't actually damage your computer, since it's just an EICAR test file and not actual malware. However, this does demonstrate accurately what would happen if you downloaded and tried to open a malicious executable file.
As an aside, I tried this on my iMac running Mavericks and my malware checker, Avira, flagged it and snagged it before I could even try to open it!
Was your orignal question answered? how can you verify that Xprotect is functioning?
tomas_r's first post has a sample file that should trigger XProtect, see what it does for you.
Drew Reece wrote:
tomas_r's first post has a sample file that should trigger XProtect, see what it does for you.
It does not trigger an alert on Yosemite. It would appear that the eicar file is (still) not triggering the alert on open, at least via an editor. Or that XProtect is not working — not that I'm going to go look for a hunk of actual malware that it should (hopefully) detect.
It fails to trigger a warning when opening in TextEdit on 10.9 too.
Sorry I don't know enough to diagnose this.
Any ideas thomas_r?
When I try to download Eicoar on Yosemite 10.10.5 as well as Apple's store workstations running el captain do not show any message.
How can I test that XProtect is working?
