Attachment: EICAR String Present
This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.
For performance reasons, this rule is limited to attachments with "eicar" in the file name.
type.inbound and any(attachments, strings.icontains(.file_name, "eicar")) and any(attachments, any(file.explode(.), any(.scan.strings.strings, strings.icontains(., 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' ) ) ) )
Test against your own EMLs or sample data.
Get Started. Today.
Managed or self-managed. No MX changes.