• Sublime Core Feed
Low Severity

Attachment: EICAR string present

Labels

Malware/Ransomware
File analysis

Description

This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.

For performance reasons, this rule is limited to attachments with "eicar" in the file name.

References

@ajpc500
Created Aug 17th, 2023 • Last updated Aug 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments, strings.icontains(.file_name, "eicar"))
and any(attachments,
        any(file.explode(.),
            any(.scan.strings.strings,
                strings.icontains(.,
                                  'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
                )
            )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started