Thursday, 26 April 2012

Quick and easy anti-virus test

Yesterday I gave a short malware testing presentation at Kaspersky Lab's 'Reviewer's Roundup' in Amsterdam.

I wanted to show how even those without vast resources can check to see if what an anti-malware product claims to do matches what actually happened.

When we run anti-malware tests at Dennis Technology Labs we use a wide range of tools to generate logs that enable us to take a forensic approach to analysing the system. However, there are quicker ways to achieve suitable results for a comparative test of security programs.

The demonstration video below shows approximately what the journalists saw yesterday. This includes the use of Process Explorer and TCPView for live, manual monitoring of a system as it visits an infected website and is attacked by a drive-by download (exploit).

More importantly, it shows the sort of information that CaptureBAT can generate. The real advantage of CaptureBAT is that it monitors the system in much the same way as a suite of other tools. In that respect it is very convenient. It also saves deleted files, which is particularly useful when dealing with malware.

The video shows a clean system being infected by a genuine malicious website using a threat that we found the previous week. We then examine the log files to discover what happened and even display the exploit code that caused the attack in the first place.

It's worth noting that CaptureBAT doesn't provide a vast amount of information about what the malware really did on the system. We can see that it ran, but that's about it. For more in-depth information, which is what an anti-malware vendor requires, you'd need to use Process Monitor or a similar tool.

To view the video, which is too wide for this page layout, please view it on YouTube. Sorry, no sound.