Analecta Cyber Company Blog: Carefully Testing your Antivirus Software on the Web

2018-10-09

Carefully Testing your Antivirus Software on the Web

The site ahead contains malware graphic - Analecta LLC Carefully Testing your Antivirus Software on the Web - Analecta Banner Graphic
The roles of antivirus (AV) software and intrusion detection systems (IDS) are similar and straightforward - to detect malicious activity targeting your systems. NIST Cybersecurity Framework recommends that you test detection processes as a key function of security (akin to testing smoke alarms and fire extinguishers for proper functionality before they are needed). Here we discuss testing your antivirus and IDS to be sure they are functioning properly and protecting your networks.

How do you know if your AV and IDS solutions are working?


While you can be reasonably confident that major AV software designers will have the most up-to-date methods of detecting malware on your network, you need to verify that the software is functioning properly after you install it. A simple way to do this is to navigate to a trusted anti-malware test site and observe what happens.

**WARNING**
You should be very selective when choosing which anti-malware test site to use. Some websites may claim to be anti-malware test sites, when in reality they use social engineering to get you to bypass security processes to install malware. (We list several test websites below, however, if you are unsure if a website is valid to use to perform a test on your system, email us at info@analecta-llc.com, and we can help you out.)

The site ahead contains malware graphic - Analecta LLC
Web browsers should notify users when they navigate to a potentially malicious website. Google’s Chrome browser includes a red background to drive the point home.

What happens when you visit a malware testing site?


When you visit a malicious website, or use a valid anti-malware test site, a number of things should occur:
  • Search engines may mark the link with a message like “This website may harm your computer” and keep you from visiting the site.
  • If you navigate to the link directly, web browsers will warn or prevent your attempt to connect to the site.
  • Networks protected by inline web filtering devices, application-layer firewalls or proxy servers should also block access to malicious websites, including test sites.
  • Desktop-based AV software should flag malicious links and block them. 
If none of these things happen, your computer is not well protected and you are at risk for downloading malware. Check for these responses with each browser installed on your machines. If you have a misconfiguration in your AV installation, one browser may detect malware properly but another may miss a component. If a browser fails to identify the test domain as malicious, adjust the AV and/or browser configurations until it does, or stop using that browser entirely.

Locally testing antivirus software


Testing the function of your AV locally, or offline, is straightforward, but it helps to understand why it happens. When you test your AV using online tools, the test websites may use actual browser exploits. Testing the AV offline uses a file called the European Institute for Computer Anti-virus Research (EICAR) Standard Anti-virus Test File. The file is a legitimate DOS program that can be run as an executable, and it will print a simple message as a result. Most AV software includes a virus definition specifically for this test file, and will react to it as if it were a virus.

The EICAR test file is a safer alternative to downloading a live virus and hoping that the AV software will detect it. EICAR developers of the file encourage all anti-malware developers to uses this test file as an industry-standard.  

Testing the IDS


To prevent malicious activity, intrusion detection systems/intrusion prevention systems (IDS/IPS) use signatures and rules instead of virus definitions, so it is just as important to keep these up-to-date. The vast majority of malicious traffic can be detected using IDS signatures. To stay current, follow these steps:
  1. Use auto-update features on your IDS
  2. Subscribe to your IDS manufacturer’s security update bulletins
  3. Utilize information from threat sharing groups.
After you have made sure your signatures are current, follow the suggestions from the manufacturer for conducting a test. It may include items like changing the security settings on the IDS to “Very High Security” or a similar setting. You may need to use an outside device running penetration testing software, like Metasploit, and have additional personnel watching the IDS monitor for anomalies. Other software, like Nmap, can also cause IDS alerts which will indicate the system is functioning properly. After each test, document when and how the test was conducted and incorporate the results into your security plan. 

Stay protected to stay in business


Keeping your business afloat is a full-time job. Protect your resources by keeping your virus definitions and IDS signatures current. If your are unsure where to start, our team of experts is willing to impart skills and expertise in keeping your business protected from cyber threats. Visit our Cyber Security website or email us at info@analecta-llc.com for more information.

Further Resources