Testing Guide 2 – Basic Blocking

Testing Guide 2 – Basic Blocking

Static PE Scan Test – New file detection

Procedure

  1. Copy malware into malware_included folder
  2. Wait…
  3. By monitoring AV alerts and system activity (e.g. task manager and process explorer) you’ll be able to see when the AV stops processing through all the files.
  4. Check the malware_included folder to see how many PEs are quarantined by the AV (The more malware quarantined the better)

Most AV products will watch for and scan any new files that are introduced to the machine, e.g. copied to a desktop folder or detected on an attached USB drive. A simple but crude test is to copy your malware into your malware_included folder and wait for the AV product to detect the PEs. This is a “static” scan in that the conviction of the malware must be done by static analysis alone by the AV, looking at features and attributes of the file, and not how it actually behaves when executed.

 

Static scanning is important as it is the safest way to scan for malware. You don’t have the danger of malicious activity occurring post execution before the AV has detected and quarantined it. Bear in mind that not all files are statically malicious and thus require a second stage to ascertain their designed intent, which is initiated by executing the malicious file.

Static File Scan Test – Automated Full Disk Sweep

Procedure

  1. Uninstall AV or disable new file detection in AV policy (if available)
  2. Copy malware into malware_included folder
  3. Install AV or enable only scheduled background scanning.
  4. Run a scheduled scan now on the full disk
  5. Wait…. (can take multiple days)
  6. Check the AV product’s logs to confirm the scan has finished
  7. Check the malware_included folder to see how many PEs are quarantined by the AV (The more malware quarantined the better)

The traditional scheduled background full disk AV scan is a far from necessary tool these days. New file detection and on-execution scan mostly render it redundant. A few benefits remain though. One useful tool is a “one-time” background scan of the full disk , especially when changing AV vendors to see what the predecessor may have missed or on first deployment of a new build. You may also feel that a regular scan is useful to detect malware that older signatures would have missed in previous scans. Lastly, some standards such as PCI demand regular full disk scans, e.g. every 9 days. Generally, if available, a one-time full disk scan would suffice for most deployments.

Static Detection Performance – A brief Note

Arguably, static malware detection doesn’t need to be quick, as long as the malware gets scanned again if it is later executed.

 

Explanation – Malware is inert whilst sat dormant in a folder, so there’s no risk reduction by scanning every file instantly versus slowly. Nothing malicious is occurring whilst you wait for a slower background scanner. Additionally, focusing system resources on intensive background scanning can only hurt the end user’s system performance. Background scanners are a nice proactive layer of protection but they are always secondary to the vital scan at the point of execution. As long as each piece of malware is scanned rapidly at the point of it being executed (e.g. by double clicking on an PE) then your AV is protecting you when you need it and not jeopardising performance.

 

Therefore, in terms of performance for the static scan detection tests, comparing timing between AV products for completing the scans isn’t something to care much about.

On-Execution Test

Procedure

  1. Disable background scanning and new file detection in AV policy
  2. Copy malware into malware_included folder
  3. Either manually or automatically execute each piece of malware, e.g. CLI command: for %i in (*.exe) do start %i
  4. In parallel, monitor Process Explorer for malware process activity, AV alerts and system performance.
  5. Wait until all activity ceases
  6. Check the malware_included folder to see how many PEs are quarantined by the AV (The more malware quarantined the better)

The last line of protection is the on-execution AV scan. If the AV misses the detection here then you’ll likely be infected and game over. In this test, just run the malware and see what quantity gets detected. (Hopefully all). You might want to disable background scanning and new file detection to focus solely on the on-execution scanning.

user-gravatar
Carl Gottlieb

[email protected]

Data Protection Consultant, specialist in anti-malware security solutions and Consulting Director of Cognition Secure. Helping organisations test products for themselves and get the best protection.

Want a few pointers? Fancy a chat? Just want an antivirus product recommendation?