Penetration Testing mailing list archives
RE: virus product pentest
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sun, 12 Sep 2004 16:20:39 -0500
-----Original Message----- From: 4secure () web de [mailto:4secure () web de] Hello, can someone give me tips, how I can run a virus protection tests. This is this also interesting, if one must accomplish a virus audit. So far I examined only functionality with an EICAR test virus. I need however still procedures for the performance of a virus protection. I would examine also, which viruses the product (e.g. viruses, which are specified at http://www.wildlist.org/WildList/RTWL.htm) recognizes. Gives it in addition a kind collection of virus identifications (defused viruses) or have I to search the internet for some real viruses in the internet. Perhaps is there a finished virus collection, if so where? Yours sincerely Istvan
It is not very clear what exactly do you (or your client actually) wants to accomplish, but I'll assume you are proposing this kind of audit to a client. In my case I was the client and have asked consultants to do similar evaluations (so I will answer from that point of view). First, many tests are not well suited for penetration testing, perhaps not even to be done by consultants for a specific product. These are some of them: * Virus detection against a virus collection * New/unknown virus detection These tests are better done while comparing a wide range of antivirus products and the goal might be to recommend some product to your client. But there are already people with labs doing this in a proper way with proper tools, so there is no need to include this in pentest (your results won't be reliable probably). Besides, you might get into dangerous waters by assessing a specific product (how could you as a pentest consultant demonstrate that you are capable of assessing a commercial AV product) the vendor might even accuse you to be biased and it would be hard to support that you are not. If you want to show that the AV that your client has can miss some virus variants or a new virus then you just have to tell them. There is no AV capable of detecting all viruses, this is a well known fact that I believe requires no further spending to be proved (there are products that can tell you when they see something that has not been approved though, but you see this kind of architecture more on the side of host based IDS). Besides, suppose you find that this AV doesn't detect a certain virus by the time you test it. Would you recommend changing it? But, wouldn't you then need to show that there is actually another product that detects this and all other viruses the other AV detected? In the end, wouldn't that force you to make a full AV product comparison? So, What did I asked to be included in a pentest? Well, to test the perimeter defenses put in place to contain malware but these turn out to be mostly configuration and rules. They (consultants) tested AVs in the process but obviously they failed (you will see why in the next few lines). The infrastructure I was looking to test was this: * Certain firewall policies * Certain servers configurations (email and web proxy filters) * Certain Workstation configuration (file access and registry permissions) In the end, this allowed us to test our resistance against generic virus propagation (common propagation vectors such as email and web surfing), as well as the resistance of our desktops to execute unwanted code. We do use AV of course, several brands (gateway, local, scanners and memory resident, you name it), but as many have already noticed, viruses and worms are spreading much faster each time so what we used to see as our last line of defense (these filters and configurations) turned out to be our primary, and many times, only means of defense. The number of times a virus has been detected reaching inside our network with none of our AVs having the virus signature should be around 20, just for the first half of this year. And what did these guys do to test this? They developed a limited trojan like thing that was sent through email and http (we acted as the most clueless user clicking and opening everything they sent us to this lab machine) testing in this way perimeter filters (we saw here things like: ooops, .exe is blocked, then I try .zip, then I try passwd protected .zip and so on). Then, on the inside, tested the ability of this thing writing to the registry to key points such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and other vectors, that allow viruses and worms to be executed after the machine is restarted. Then we tested their capabilities to write to certain folder, to open ports and to establish a covert channel back to the internet. Summarizing, these were the requirements for the test malware we requested: * Source code must be available (well, we don't trust our consultants that much :-) ) * No replication capabilities (although we though it might not harm us to allowed limited and controlled replication, we concluded that we only required one copy of it to be executed inside to demonstrate weaknesses) * Capabilities to evade perimeter and workstation security controls (but of course, and that's where the pentest people play a role at by morphing and expanding the malware) * Capability of establishing a covert channel connecting back to the Internet to demonstrate remote information stealing and control * Capabilities to read/write/execute on certain folders. On our part: * A dedicated machine (isolated in a lab but protected with the same security controls as any other machine, both on the network and locally) * Email test account for the email vector * A sitting duck, clueless user (actually one of our security staff acting as such) Some last notes: this is not a test that might work for everyone. It worked for us because we have a standardized and closed baseline configuration of workstations so we know that weaknesses replicate but also successful security controls are everywhere. We only tested workstations and we closely supervised all the process (there are thing that a consultant might not be aware of during the test and yet you might notice something worth changing while being on the inside. As you could probably note, AV were the last thing we tested, and of course, they were ineffective as the situation we tested here was one on which an unknown virus/worm is hitting us (which is becoming more common every day). We know that our AVs will eventually detect these new threats but that is not good enough from a prevention perspective. Does this tests guarantee that we are immune to viruses/worms? Definitely no, there is no protection to against specific attacks by a dedicated, resourceful and well motivated attacker (that's why we have response teams BCP, DRP and all that stuff), but it will certainly improve generic protection against generic attacks. Viruses and worms are developed to target mainly generic/commonly used systems, applications and configurations, so that's where we put our most effort, and I must say it has been a good investment :-) I hope this is of some help. Best regards, Omar Herrera ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- virus product pentest 4secure (Sep 12)
- Re: virus product pentest buzz (Sep 13)
- RE: virus product pentest Aleksander P. Czarnowski (Sep 13)
- RE: virus product pentest Debasis Mohanty (Sep 13)
- RE: virus product pentest Omar Herrera (Sep 13)
- <Possible follow-ups>
- RE: virus product pentest Ferino Mardo (Sep 13)