When implementing new firewalls at the customers’ site it is always interesting to verify that the anti-virus scanners etc. are running as expected. For simple virus-engines, a sample virus such as the EICAR anti-malware test file can be used. If this “virus” traverses through the firewall inside various protocols such as http, ftp, or smtp, the firewall must block this connection.
However, next-generation firewalls or any other APT (Advanced Persistent Threat) solutions are able to send unknown executables to its own cloud in order to test it. If a malware is found, these products can block future connections with these files, e.g., by updating the anti-virus patterns or their URL categories.
The problem is: How to test whether the “upload unknown files” function works properly? -> My idea is to have a server that generates “dynamic” viruses. When downloading such a “fresh generated” virus, the antivirus engine does not have a pattern for it. That is, the file must be uploaded to an APT solution. The logs on the firewall should list this upload process.
This could be the process:
- A user requests a “new” virus from a known and trusted server that runs this application. The virus should not harm the test system, but should behave as a virus.
- The server must modify the source code of the virus each time in order to pass common antivirus patterns.
- The user downloads the virus through a common protocol such as http, ftp, or gets the virus by mail (smtp).
- The NGFW should detect an unknown file (= no antivirus pattern) and upload it to its own cloud based APT engine.
Here is a quick-and-dirty sketch:
To my mind it is not easy to generate a “fresh malware”. But since the bad guys are doing it all the time, it should be feasible.
I do not know whether such a system is already present on the Internet. Maybe? If someone knows something about such systems, please write a comment. Or this might be a good topic for a project thesis for students. ;)
Even with Callbacks?
An even more interesting test case would be a “malware server” that generates dynamic malwares with a callback to itself. A logfile on the server would reveal whether the test malware really called back. That is, a user could test whether an APT solution a) recognizes and b) prevents callbacks. The scenario could be similar to the above one:
- The user requests a new malware from the server.
- The server generates a fresh malware with a random callback ID.
- The user downloads the malware.
- The APT solution gathers information about this malware.
- The test PC calls back to the “malware server”.
- Any firewalls should see the connection to the server. After pattern updates of the antivirus engines, these callbacks should be blocked.
- A logfile on the server, which shows the callback ID from step 2 as a reference, reveals which machines successfully called back.
- A callback from another PC that is initiated later on should be blocked by the firewall/APT solution.
And a sketch for this process, too:
Okay, maybe this idea is a bit oversized. However, I think a method to show the customer that his machines are working as expected would be great.