Problem solved, the eicar was just not submitted in the form at all ...
I'll share the simple html which was the actual probleme here:
<form action="" enctype="multipart/form-data" method="post">
<input type="file" multiple="multiple"/>
<input type="submit"/>
</form>
-> this did not transfer the selected files at all, and thus of course no anti-virus could ever detect the virus in the not transferred files.
after adding the name="uploads" attribute in the file-input, it transferred the files, and antivir correctly detected the eicar test:
<input type="file" multiple="multiple" name="uploads"/>
thx,
Jan