Testing Guide

Introduction to AV Testing

Testing antivirus products is not difficult and these guides should help you get confident with handling malware in a safe environment and assessing how good your anti-malware software really is.

Before you embark, maintain a laser focus on what requirements, functions and features matter to you. If you don’t feel a threat, an option or configuration is relevant to your organisation then leave it off the table. Equally, your test environment, the malware you use and the testing methodology you follow should reflect what you would see in the real world. The term “real world” is a controversial one. Everyone has their perspective but the only one what matters is yours. Real World is what you decide it is for you and your estate.

In any testing there all always compromises and limitations and a common one is the use of virtual lab environments. Whilst virtual labs aren’t perfect, they’re almost always the best option for playing with malware so it’s wise to invest in building one. Safety, speed and automation are your friends and a virtual lab provides this.

Getting Started

Our three step plan is pretty simple. Build a lab, get some malware and start testing your products. For each step you’ll find a number of helpful articles, where we’ll keep adding new content.

Build a virtual home for your testing

Sourcing, handling and staying safe with malware

See for yourself how good your AV really is

Step 1 – Test Lab Build

Articles

For testing antivirus and playing with malware, a virtual lab is your best option and the pros certainly outweigh the cons.

Pros

  • Safety – maintain complete isolation from the real world IT estate
  • Speed -rapidly customise hardware, software and tools onto multiple platforms
  • Automation – script repetitive activities without manually rebuilding machines

Cons

  • VM detection – some malware can behave differently in a virtual guest
  • Performance testing – differences in system resources and configuration between a production physical host and a lab virtual host can limit the relevanceĀ of some performance testing

 

Read the Test Lab Build articles to get your virtual environment up and running.

Step 2 – Introducing Malware

On TestMyAV.com we’ve got plenty of malware for you to use in your testing. Just go to the malware page and start there. You can also source malware from many other places on the Internet and from your local email spam folders. Whatever you use, you’ll need to handle it carefully to make sure you don’t accidentally infect a machine or let it be scanned prematurely before you’ve started the proper testing.

Make sure you add the necessary exclusions to your various filters so that you can move the malware around, e.g. download it from this website, and can store it on your machine, e.g. in a directory excluded from scanning. When moving malware on USB drives, its safest to keep the files inside a password protected zip file.

Articles

Step 3 – Antivirus Testing

It’s time to get testing and seeing how good these anti-malware products really are. We’ve broken the testing out into separate articles depending on the type and depth you want to go. Start with the basic testing and do whatever feels relevant to you. We’ve even got information on mutating malware yourself to see if you can bypass your own antivirus.

Articles

Terminology Notes

  • PE = “Portable Executable”, i.e. malware executable files
  • PEs = Multiple PE files
  • “Directory” and “folder” are used interchangeably in this website
  • Most of the testing guides are Windows focused in their procedures but can be adapted to Mac environments easily
  • Three stages of AV Scanning:
  1. Scheduled Background Scan (e.g. weekly full disk scan)
  2. File Watcher Scan (e.g. new files found on USB drive)
  3. On-Execution Scan (e.g. double click an executable)

Environment Setup Notes

  • C:\malware_included – used for testing malware
  • C:\malware_excluded – used for hosting malware before testing (AV policy set to excluded all scanning/detection of this folder)
  • AV policy set to quarantine and all AV Client & Management alerting/logging enabled
  • Restore VM to clean snapshot before each test

Want a few pointers? Fancy a chat? Just want an antivirus product recommendation?