How to Tell if Your Antivirus is Working

This article explains several ways you can tell whether your antivirus software is properly working. Instructions apply only to the Windows operating system.

The EICAR Test File

The EICAR test file is the easiest way to ensure your antivirus software is working. It's a virus simulator developed by the European Institute for Computer Antivirus Research and Computer Antivirus Research Organization. EICAR is a non-viral string of code that most antivirus software have included in their signature definition files specifically for the purpose of testing — therefore, antivirus applications respond to this file as if it were a virus.

You can create one yourself using any text editor, or you can download it from the EICAR website. To create an EICAR test file, copy and paste the following line into a blank file using a text editor such as Notepad:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Save the file as EICAR.COM. If your active protection is working properly, the simple act of saving the file should trigger an alert. Some antivirus applications will immediately quarantine the file as soon as it is saved. 

Windows Security Settings

Test to make sure you have the most secure settings configured in Windows.

• In Windows 7, your security and firewall settings are available via Start | Control Panel | System & Security. Choose Action Center from the right pane.
• For Windows 8 and 8.1, type the word "action" on the Start screen and then select Action Center from the results.
• For Windows 10, enter "security and maintenance" in the search box on the taskbar and then select Security and Maintenance.

Once in the Action Center, ensure that Windows Update is turned on so that you can get the latest updates and patches, and schedule a backup to ensure you don't lose data.

Checking and Fixing the HOSTS File

Some malware adds entries to your computer's HOSTS file. The hosts file contains information regarding your IP addresses and how they map to host names, or websites. Malware edits can effectively block your internet connection. If you are familiar with the normal contents of your HOSTS file, you will recognize unusual entries.

On Windows 7, 8 and 10, the HOSTS file is located in the same location: in the C:\Windows\System32\drivers\etc folder. To read the contents of the HOSTS file, just right-click it and choose Notepad (or your favorite text editor) to view it.

All HOSTS files contain several descriptive comments and then a mapping to your own machine, like this:

#   127.0.0.1   localhost

The IP address is 127.0.0.1 and it maps back to your own computer, i.e. localhost. If there are other entries you do not expect, the safest solution is to just replace the entire HOSTS file with the default.

Replacing the HOSTS File

1. Rename the existing HOSTS file to something else such as "Hosts.old. This is just a precaution in case you need to revert to it later.

2. Open Notepad and create a new file.

3. Copy and paste the following into the new file:

   # Copyright (c) 1993-2009 Microsoft Corp.
   #
   # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
   #
   # This file contains the mappings of IP addresses to host names. Each
   # entry should be kept on an individual line. The IP address should
   # be placed in the first column followed by the corresponding host name.
   # The IP address and the host name should be separated by at least one
   # space.
   #
   # Additionally, comments (such as these) may be inserted on individual
   # lines or following the machine name denoted by a '#' symbol.
   #
   # For example:
   #
   #   102.54.94.97  rhino.acme.com     # source server
   #   38.25.63.10  x.acme.com       # x client host
   # localhost name resolution is handle within DNS itself.
   #   127.0.0.1   localhost
   #   ::1      localhost
   
   

4. Save this file as "hosts" in the same location as the original HOSTS file.