• Sublime Core Feed
Low Severity

Attachment: EICAR String Present

Labels

Description

This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.

For performance reasons, this rule is limited to attachments with "eicar" in the file name.

References

@ajpc500
Created Aug 17th, 2023 • Last updated Aug 21st, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments, strings.icontains(.file_name, "eicar"))
and any(attachments,
        any(file.explode(.),
            any(.scan.strings.strings,
                strings.icontains(.,
                                  'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
                )
            )
        )
)
MQL Console
View MQL Guide

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started