Full Report
How to make sure your antivirus is working without any malware Michael Allen // Recently, a customer asked me if there was a way they could generate alerts from the new antivirus product they deployed without executing any actual […] The post Is This Thing On? appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Antivirus/Endpoint Security Verification Without Executing Live Malware
## Overview
These practices focus on verifying the foundational detection capabilities of an installed Antivirus (AV) or Endpoint Detection and Response (EDR) solution using recognized, non-malicious standardized test strings and methods. The goal is to confirm that the AV is active, scanning files, monitoring system interfaces (like AMSI), and detecting hidden data structures (like Alternate Data Streams) without introducing actual executable threats into sensitive environments.
## Key Recommendations
### Immediate Actions
1. **Test File-Based Static Detection:** Create and save the EICAR test file to disk using various extensions (e.g., `.EXE`, `.TXT`, `.JPG`, `.COM`, `.DOCM`) to confirm the AV scans files based on content, not just file type.
2. **Verify AMSI Hooking:** Execute the designated AMSI test string within PowerShell or another supported scripting environment to ensure the AV successfully hooks into the Antimalware Scan Interface (AMSI) for in-memory script inspection.
3. **Test ADS Scanning via PowerShell:** Utilize PowerShell commands to explicitly write the EICAR string into an Alternate Data Stream (ADS) attached to a benign file to verify if the AV monitors NTFS ADS structures for malicious content.
### Short-term Improvements (1-3 months)
1. **Document Extension Coverage:** If certain EICAR test files saved with specific extensions are *not* detected, document this gap as it indicates AV configuration needs adjustment to enforce scanning rules across all relevant file types.
2. **Capture and Review Alerts:** Ensure that successful alerts for EICAR, ADS, and AMSI tests are properly logged, reviewed, and trigger defined response actions within the security monitoring system (SIEM/Alerting platform).
### Long-term Strategy (3+ months)
1. **Integrate Testing into Baseline Checks:** Incorporate file-based (EICAR) and memory-based (AMSI) tests into routine configuration audits or infrastructure validation efforts to ensure AV integrity remains after updates or configuration changes.
2. **Expand Testing Scope:** Move beyond basic static string detection to test more complex scenarios, such as memory dumping protection (if applicable), using controlled, internal non-malicious data patterns that mimic real-world obfuscation techniques.
## Implementation Guidance
### For Small Organizations
- Focus heavily on **Immediate Actions (1, 2, and 3)**, as these methods require only basic tools (Notepad, built-in PowerShell) and confirm basic AV functionality is operational.
- Use the EICAR direct download link (`https://secure.eicar.org/eicar.com.txt`) as a quick method to check browser/network protection if file writing is restricted.
### For Medium Organizations
- Document observed detection success/failure across different file extensions and formalize these findings into a baseline operational check procedure.
- Systematically test ADS detection across multiple systems using the provided PowerShell commands to identify any inconsistencies in NTFS scanning configurations across the fleet.
### For Large Enterprises
- Script the EICAR and AMSI tests to be deployed via centralized management tools (e.g., Group Policy, configuration management software) to automate verification across thousands of endpoints.
- Record the administrative output (e.g., event logs, AV console notifications) from successful tests to validate the logging and alerting infrastructure upstream of the endpoint agent.
## Configuration Examples
| Test Target | Method/Tool | Specific Command/String |
| :--- | :--- | :--- |
| **File Detection** | Text Editor (Notepad) | Paste EICAR string and save as `test.EXE` |
| **ADS Detection** | PowerShell | `set-content .\ADS_Test.txt:EICAR‘X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*’` |
| **AMSI Detection** | PowerShell | Execute script containing: `'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'` |
## Compliance Alignment
- **NIST SP 800-53 (CM):** Configuration Management and Control. Verifying AV functionality aligns with ensuring system security controls are operating as intended.
- **CIS Controls (Control 8: Malware Defenses):** Directly validates the ability of endpoint protection solutions to detect and prevent malware introduction and execution, even in non-traditional storage locations (like ADS) or memory.
## Common Pitfalls to Avoid
- **Focusing Only on `.EXE` Files:** Assuming the AV covers all file vectors; always test with inconspicuous extensions like `.TXT` or `.JPG` to check for comprehensive file type scanning policies.
- **Ignoring Alternate Data Streams (ADS):** Assuming file-based scanning is sufficient; malware often uses ADS on NTFS to evade simple scanners.
- **Misinterpreting Test Results:** A successful EICAR detection proves only that a *basic signature* was matched, not that the AV can detect complex, polymorphic malware binaries. Use these tests only as a function health check.
- **Failing to Check Alerting:** Confirming the local AV pop-up is not enough; ensure the security operations team receives a centralized alert confirming detection.
## Resources
- **EICAR Test File Standard:** Provides the known safe string used for file-based testing.
- **AMSI Documentation:** Microsoft documentation detailing how memory-based script scanning interfaces work (for advanced testing verification).