Home page logo

pen-test logo Penetration Testing mailing list archives

RE: virus product pentest
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sun, 12 Sep 2004 16:20:39 -0500

-----Original Message-----
From: 4secure () web de [mailto:4secure () web de]

can someone give me tips, how I can run a virus protection tests.
This is this also interesting, if one must accomplish a virus audit. So
far I examined only functionality with an EICAR test virus. I need however
still procedures for the performance of a virus protection. I would
examine also, which viruses the product (e.g. viruses, which are specified
at http://www.wildlist.org/WildList/RTWL.htm) recognizes. Gives it in
addition a kind collection of virus identifications (defused viruses) or
have I to search the internet for some real viruses in the internet.
Perhaps is there a finished virus collection, if so where?

Yours sincerely

It is not very clear what exactly do you (or your client actually) wants to
accomplish, but I'll assume you are proposing this kind of audit to a
client. In my case I was the client and have asked consultants to do similar
evaluations (so I will answer from that point of view).

First, many tests are not well suited for penetration testing, perhaps not
even to be done by consultants for a specific product. These are some of

* Virus detection against a virus collection
* New/unknown virus detection

These tests are better done while comparing a wide range of antivirus
products and the goal might be to recommend some product to your client. But
there are already people with labs doing this in a proper way with proper
tools, so there is no need to include this in pentest (your results won't be
reliable probably). Besides, you might get into dangerous waters by
assessing a specific product (how could you as a pentest consultant
demonstrate that you are capable of assessing a commercial AV product) the
vendor might even accuse you to be biased and it would be hard to support
that you are not.

If you want to show that the AV that your client has can miss some virus
variants or a new virus then you just have to tell them. There is no AV
capable of detecting all viruses, this is a well known fact that I believe
requires no further spending to be proved (there are products that can tell
you when they see something that has not been approved though, but you see
this kind of architecture more on the side of host based IDS). Besides,
suppose you find that this AV doesn't detect a certain virus by the time you
test it. Would you recommend changing it? But, wouldn't you then need to
show that there is actually another product that detects this and all other
viruses the other AV detected? In the end, wouldn't that force you to make a
full AV product comparison?

So, What did I asked to be included in a pentest? Well, to test the
perimeter defenses put in place to contain malware but these turn out to be
mostly configuration and rules. They (consultants) tested AVs in the process
but obviously they failed (you will see why in the next few lines). The
infrastructure I was looking to test was this:

* Certain firewall policies 
* Certain servers configurations (email and web proxy filters)
* Certain Workstation configuration (file access and registry permissions)

In the end, this allowed us to test our resistance against generic virus
propagation (common propagation vectors such as email and web surfing), as
well as the resistance of our desktops to execute unwanted code.

We do use AV of course, several brands (gateway, local, scanners and memory
resident, you name it), but as many have already noticed, viruses and worms
are spreading much faster each time so what we used to see as our last line
of defense (these filters and configurations) turned out to be our primary,
and many times, only means of defense. The number of times a virus has been
detected reaching inside our network with none of our AVs having the virus
signature should be around 20, just for the first half of this year.

And what did these guys do to test this? They developed a limited trojan
like thing that was sent through email and http (we acted as the most
clueless user clicking and opening everything they sent us to this lab
machine) testing in this way perimeter filters (we saw here things like:
ooops, .exe is blocked, then I try .zip, then I try passwd protected .zip
and so on). Then, on the inside, tested the ability of this thing writing to
the registry to key points such as
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and other
vectors, that allow viruses and worms to be executed after the machine is
restarted. Then we tested their capabilities to write to certain folder, to
open ports and to establish a covert channel back to the internet.

Summarizing, these were the requirements for the test malware we requested:
* Source code must be available (well, we don't trust our consultants that
much :-) )
* No replication capabilities (although we though it might not harm us to
allowed limited and controlled replication, we concluded that we only
required one copy of it to be executed inside to demonstrate weaknesses)
* Capabilities to evade perimeter and workstation security controls (but of
course, and that's where the pentest people play a role at by morphing and
expanding the malware)
* Capability of establishing a covert channel connecting back to the
Internet to demonstrate remote information stealing and control
* Capabilities to read/write/execute on certain folders.

On our part:
* A dedicated machine (isolated in a lab but protected with the same
security controls as any other machine, both on the network and locally)
* Email test account for the email vector
* A sitting duck, clueless user (actually one of our security staff acting
as such)

Some last notes: this is not a test that might work for everyone. It worked
for us because we have a standardized and closed baseline configuration of
workstations so we know that weaknesses replicate but also successful
security controls are everywhere. We only tested workstations and we closely
supervised all the process (there are thing that a consultant might not be
aware of during the test and yet you might notice something worth changing
while being on the inside. As you could probably note, AV were the last
thing we tested, and of course, they were ineffective as the situation we
tested here was one on which an unknown virus/worm is hitting us (which is
becoming more common every day). We know that our AVs will eventually detect
these new threats but that is not good enough from a prevention perspective.

Does this tests guarantee that we are immune to viruses/worms? Definitely
no, there is no protection to against specific attacks by a dedicated,
resourceful and well motivated attacker (that's why we have response teams
BCP, DRP and all that stuff), but it will certainly improve generic
protection against generic attacks. Viruses and worms are developed to
target mainly generic/commonly used systems, applications and
configurations, so that's where we put our most effort, and I must say it
has been a good investment :-)

I hope this is of some help.

Best regards,

Omar Herrera


Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]