Test File Inspection with Eicar

Available Languages

Download Options

  • PDF     (15.8 KB)
    View with Adobe Reader on a variety of devices
Updated:October 2, 2025
Document ID:225043

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to test file inspection with Eicar.

    Overview

    At present, when testing whether or not the File Inspection feature is enabled by using the eicar.org test download files, you see different behaviour when "SSL decryption" enabled or disabled. Umbrella File Inspection only AV scans downloads at eicar.org if SSL decryption is enabled.  

    Understanding the Detection Process For Eicar

    To enable blocking of eicar.org, please enable SSL decryption.

    note-icon

    Note: SSL Decryption is required even when visiting the site over HTTP. If you do not have SSL Decryption enabled, the proxy bypasses domains that serve traffic over HTTPS.

    • The Umbrella Intelligent Proxy makes a decision whether to send a domain to the proxy at the DNS layer.  
    • The DNS request happens before the HTTP/HTTPS connection, which means that when a domain is subject to the proxy, both HTTP and HTTPS traffic is always proxied.
    • When HTTP/HTTPS traffic reaches our Intelligent Proxy, the first step is to make a redirect to identify the user. 

    This redirect is not possible without SSL decryption, which means we might be unable to correctly identify users in some scenarios (such as Roaming Users).

    To prevent these users breaking HTTPS requests, Umbrella does not use proxy domains (like eicar.org) that serve both HTTP/HTTPS traffic unless SSL decryption is enabled.

    In Summary...

    To get the best security and efficacy from the feature, we strongly recommend to install the Cisco Root CA and enable SSL decryption. This allows eicar.org test files to be blocked and increases the number of domains that are subject to File Inspection through our Intelligent Proxy.

    Here is a summary of expected behaviour: 

    Revision History

    Revision Publish Date Comments
    1.0
    02-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products