Rule History

SID: 2012591 • Source: et/open

Versions (2)

Version DetailsCurrent

Rev: 5 • Mar 28, 2011, 12:00 PM

Message:

ET DELETED EICAR test file with MZ header double-stacking AV evasion technique

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2012591; rev:5; metadata:created_at 2011_03_28, signature_severity Unknown, updated_at 2019_07_26;)

Created:

Mar 28, 2011, 12:00 PM

Updated:

Jul 26, 2019, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-deleted.rules