How to Test Your Antivirus, Anti-Malware, Firewall and Network Perimeter Security Devices (Penetration testing and pen tests)
by Paul Rudo on 12/06/11 at 5:07 pm
As with any critical security function in IT, you need to test your company’s antivirus and anti-malware protection. It’s not enough to trust your vendor. Even if their products are working perfectly, the implementation might’ve left some holes open in your security.
That’s why you should test the security of your internal network several times per year in order to predict how well it can defend against viruses, malware and other nasty attacks.
The best way to test your network is through penetration testing. (Often called pen testing)
For this article, we’ll only be focusing on the virus/malware area of pen testing. There are other tests that must also be performed as part of a full audit, but we’ll save that for another article.
At first, it may appear that the simplest way to test your security would be to gather up thousands of nasty viruses, and to set them lose on a network. Then, you can go back and measure the percentage that were blocked in order to determine the effectiveness of your network protection.
However, the results of such a test can be misleading since it might fail to expose critical flaws in your security.
Before attempting this kind of test, you must first check to make sure that your network security is actually working. A better way of doing this would be to test just one simple virus, and alter it in various ways to detect specific vulnerabilities.
You can get a benign test virus here. This file shouldn’t hurt your system, but it SHOULD trigger your antivirus.
Now that you have a virus for testing, you’ll also want to set up an external Linux web server, FTP server and email server to deliver the file. In order to truly test the capabilities of your security, you’ll also want to switch up the ports.
For example, you may want to set up web servers on port 80 and 242. And you may want to set up the POP server on port 110 and another on port 23 – which is normally used for Telnet.
Then, try and push the file into your network using different means, and hiding the file in different ways.
- Try sending it as a simple email attachment.
- Try compressing the virus into a ZIP file
- Try making a ZIP file using a ZIP file containing the virus
- Try to single and double ZIP the virus, and password-protecting it
- Try unconventional compression formats like RAR or GZIP
- Try changing the name of the file
- Try changing the file extension so that it appears to be another type of document (.PDF, .JPG, .PPT)
- Embed them into a document such as Word or Excel.
If you use your imagination, you could probably come up with a hundred variations. Once you’ve done this, you’re ready to start testing.
- Try emailing the file into your network, and also try sending it out from within your network. Additionally, you’ll want to try sending it internally from one machine to another.
- Post all of these files up on your web servers and FTP servers, and try downloading all of the files.
- Set up an online message board on your web server and see if the virus files can be uploaded to the forum as an attachment. Also, try doing the same on your private, intranet if you have one in place.
- Try downloading the files from other sources, such as Gmail or any other hosted applications that could potentially be used to distribute viruses.
As you grow your options, you’ll develop a wide matrix of potential vulnerabilities. Keep a spreadsheet of your results in order to spot patterns.
Once you’ve broadly secured your network against a single virus, exhaustively tested in every possible way, you’ll have much more to gain from more advanced testing.
Remember Kids: Always test offline, and never compromise a live, critical system.