Eicar test

[jameswbrown08322]

I'm testing a trial copy of Endpoint Protection. I've turned on EP in the default policy I'm using. Then I downloaded the Eicar test virus. On my Win 10 box Windows Defender trapped it. But on my test Win XP and Win 7 I was able to download, save it, run it. EP does not appear to notice. Nothing shows up in the cloud dashboard even when I tell it to run a scan on those workstations that have the Eicar.com file saved on the drive.

What might I be doing wrong?

[David H. Lipman]

Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files.  That means MBAM will not target; JS, JSE,  PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

 

Because the EICAR is not a windows PE file, it simply won't be targeted.

 

 

[jameswbrown08322]

I'm talking about the new cloud based Malwarebytes Endpoint Protection system. But I believe it's based on the standalone MBAM 3.x engine(s), so what you discuss probably applies.

OK, so is there a way to test EP?

 

[pondus]

Test IP  >>  https://forums.malwarebytes.com/topic/45400-malwarebytes-ip-test-site/?tab=comments#comment-229093

Never tried these so dont know  >>  http://www.wicar.org/test-malware.html

 

[KDawg]

You can test the Anti-Malware malicious file real time function (test-trojan, test_PUP) and Anti-Exploit (mbae-test) with the following zipped tools – https://malwarebytes.box.com/s/2ae222kt1ogv41emx1ehgnq8d9stgiue

Password = mbam

The real time web blocker can be tested by going to – http://iptest.malwarebytes.org/ - on the endpoint.

These are not real virus's but are defined as threats and will show up if the scan hits them.

 

Please let us know if your scanner is able to catch these

 

Many Thanks

 

[jameswbrown08322]

I'm testing on several workstations: Win XP, Win 7, and Win 10.

All three blocked going to iptest.malwarebytes.org, and it gets reported in the cloud interface.

The zipped tools thru me off a little. At first I was just getting a Windows error trying to extract. But that was because of the password. I was then able to extract using WinZip and that password you mentioned.

After extracting, running the test-trojan and test-pup resulted in them being closed and quarantined.  mbae-test was closed when clicking the exploit button.

So, that's what I wanted. Something to prove the Endpoint Protection was correctly installed and working.

[KDawg]

Sounds like we have those machines properly secured and the real-time protection features are working as expected!

 

 

 

Edited October 6, 2017 by KDawg