rule eicar_av_test { /* Per standard, match only if entire file is EICAR string plus optional trailing whitespace. The raw EICAR string to be matched is: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* */ meta: description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly." author = "Austin Byers | Airbnb CSIRT" reference = "http://www.eicar.org/86-0-Intended-use.html" strings: $eicar_regex = /^X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\*\s*$/ condition: $eicar_regex }