Jump to content

MBIR/BR test file?


Recommended Posts

Is there a test file that will be detected by Malwarebytes Incident Response and Breach Remediation so that we can test the software and see what a detection looks like without *actually* installing malware on our systems?  :-)  I've already Googled and searched the forums, but didn't find anything other than the "Malwarebytes Product Testers" zip file (which is designed for Anti-Exploit and doesn't work with Incident Response).


- John

Link to post
Share on other sites

Found another source via a rather entertaining reddit:






Edited by AdvancedSetup
Removed live hyperlinks
Link to post
Share on other sites

Hrm...any thoughts on Malwarebytes Incident Response finding and quarantining the Ask Toolbar installer (AskToolbar.exe) but not touching an extracted copy of the OCDLL.dll from inside? Will the software not remove the OCDLL.dll if it's actually installed? O_O

(I mean, I can fire up a disposable VM, actually install the toolbar, and then scan it, but you'd think if it'll find the DLL once installed, it would also find it extracted. No?)

Link to post
Share on other sites

For an installed threat, Malwarebytes remediation function has a 'linking engine' which finds all related object of a threat and quarantines them, including EXE, DLL, registry settings and files etc.  The Detection result will list all components of a threat which have been quarantined.

If a scan of type Threat or Custom scan-all-local-drives, that the above process would be applied as running processes are checked.  Files on disk should also be found.


Link to post
Share on other sites

  • 2 months later...
  • Root Admin

Hello @stuart_smiles

The following is from our FAQ



Why doesn’t Malwarebytes detect EICAR?

According to the European Expert Group for IT-Security (EICAR) organization, the EICAR test file is a plain string of ASCII characters which can be opened with a regular text editor. EICAR asserts that antivirus products should detect any file that starts with the EICAR strings, which are the following 68 characters:


Detecting the EICAR strings doesn’t mean anything in terms of proving a products’ real-world effectiveness against threats. This experiment merely proves that the antivirus product can use a pattern-matching signature and trigger against a DOS file (not a Windows PE file) whose content starts with the above EICAR string.

At Malwarebytes, we employ over 7 different prevention layers. Each layer has a specific objective in terms of disrupting threats at different stages of the attack chain. Most layers are signature-less and are designed to protect against the real-world threats our researchers observe in-the-wild, ensuring Malwarebytes customers are protected against prevalent and relevant threats.

The detection or lack thereof of the EICAR test file is not representative of how our different vector blocking and payload prevention techniques work, both in pre-execution and post-execution phases of the attack. The MBAM engine does not need to deal with scripts because our anti-exploit, web blocking and application behavior engines are much more effective at disrupting script-based malware and exploits without relying on signatures. Most anti-virus products have to rely on signatures to detect and block script malware, which is exactly what you DON'T WANT your antivirus to do. There are many more obfuscation and signature evasion techniques available for script droppers than there are for binary malware. Therefore relying on signatures to detect script droppers or files like the EICAR test file, is actually damaging to your security. The fact that your security product detects EICAR with a signature should be a reason for CONCERN instead of success. Most modern script-based droppers and attacks are obfuscated anyways, so using signatures on scripts (like those signature detections for .JS ransomware droppers regularly found in VT) is largely useless and easily bypassed as compared to other protection approaches like those found in MB3.

An EICAR detection proves that a product is able to use pattern-matching signatures and detect a type of threat that may have been prevalent and relevant over 2 decades ago. According to EICAR, a batch file that reads in another file and displays an “alert” message if it finds the EICAR string would qualify as a virus detection product.

So in summary, MB3 already incorporates world-class, next-generation anti-malware technologies. Our combination of signature-less and rules-based layered approach is far more effective than using AV signatures. Malwarebytes is able to prevent 0-minute threats and attacks without updates, even script-based, file-less, and other advanced attacks. We won’t detect EICAR because EICAR is not representative of either today’s threat environment or security needs.



Thank you


Link to post
Share on other sites

@straffin, yes we do have such tools. You can use the one attached* for interacting with, and triggering the real time, or leave it somewhere for a scanner to find.

*Linked on Box in new thread.

Another good resource to test that the scanner is looking in certain areas during scheduled scans, is using Spycar. They make a test detection suite for scanner engines - http://www.testmypcsecurity.com/securitytests/all_tests.html#AllTests*

 *Spycar is dead, RIP. ☠️

Edited by djacobson
removing attachment, striking dead links.
Link to post
Share on other sites

On this topic, EICAR is actually both a text-readable string and a 16-bit COM/DOS executable with an original purpose to print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" 
It will no longer run on a current Windows operating system.  It is archaic and useless, except to demonstrate string/pattern recognition.

Link to post
Share on other sites

Some of the Staff responses show a misunderstanding of what exactly I'm looking for. We need to document (and, on occasion, demonstrate) what the software actually looks like while it's working and when it finds something. It's really not important at all if the EICAR file is an effective measure of an anti-virus products efficacy. It was never supposed to be. It's simply a file that triggers a response. If what you're looking to do is see what a valid response looks like (which we are), the EICAR file will generally do the job.

It also appears that the Test_PUP.zip file has been removed. 😞

Link to post
Share on other sites

Hi @straffin, my bad on the TestPUP, I mistakenly made a no-no and posted it to the thread reply instead of a separate hosting link. Use this link - https://malwarebytes.box.com/s/za0zyzwrdbumesqx8e3eo489edad0no0 -  and I will PM you the passcode.


It's also a bummer to learn the Spycar files are gone :( but TestPUP will do the job!

Edited by djacobson
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.