Validate AV / EDR Exclusions Using EICAR Content

Last reviewed: April 15, 2026

Organizations commonly use AV or EPP tooling on Windows systems, and those security controls can interfere with Tanium if proper exclusions are not in place. Tanium’s Core EICAR Content provides a safe way to validate whether Tanium-related exclusions are functioning as expected.

Overview 

The Tanium Core EICAR Content solution consists of a package that writes the industry-standard EICAR test file and a sensor that checks whether that file remains present. If the file is quarantined or removed, AV/EPP exclusions may be missing or incomplete.

• Supports Windows endpoints only
• Useful for onboarding, troubleshooting, and exclusion validation
• Should be used in a controlled and limited scope

Core Package: Write EICAR File

Purpose: Distributes the EICAR test file into the Tanium Client directory root on a Windows endpoint.

Sensor: EICAR AV Exclusions Check

Purpose: Returns the result of the EICAR validation and indicates whether the test file remains present.

How to Use It

1. Select a single endpoint or a very small sample of representative endpoints for testing.
2. Deploy the Write EICAR File package to the selected endpoint(s).
3. Ask the Get EICAR AV Exclusions Check sensor from the targeted endpoints to determine whether the file is still present.

Example Question:

Get EICAR AV Exclusions Check?maxAge=60 from all machines with Computer Name contains <yourDevice>

Interpreting Results

• Pass: The EICAR file is still present, suggesting exclusions are working.
• Fail / Missing: The file was quarantined or removed, suggesting AV/EPP is interfering with Tanium content.

Remediation

1. Review AV/EPP exclusions for the Tanium Client directory and related working paths.
2. Check quarantine, behavioral protection, and EDR events for evidence of blocked Tanium artifacts.
3. Coordinate with the security team to validate approved exclusions.
4. Re-run the EICAR test after exclusions are updated.