Jump to content

Recommended Posts

I'm testing a trial copy of Endpoint Protection. I've turned on EP in the default policy I'm using. Then I downloaded the Eicar test virus. On my Win 10 box Windows Defender trapped it. But on my test Win XP and Win 7 I was able to download, save it, run it. EP does not appear to notice. Nothing shows up in the cloud dashboard even when I tell it to run a scan on those workstations that have the Eicar.com file saved on the drive.

What might I be doing wrong?

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files.  That means MBAM will not target; JS, JSE,  PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

MZ-binary.jpg

 

Because the EICAR is not a windows PE file, it simply won't be targeted.

 

 

Share this post


Link to post
Share on other sites

I'm talking about the new cloud based Malwarebytes Endpoint Protection system. But I believe it's based on the standalone MBAM 3.x engine(s), so what you discuss probably applies.

OK, so is there a way to test EP?

 

Share this post


Link to post
Share on other sites

You can test the Anti-Malware malicious file real time function (test-trojan, test_PUP) and Anti-Exploit (mbae-test) with the following zipped tools – https://malwarebytes.box.com/s/2ae222kt1ogv41emx1ehgnq8d9stgiue

Password = mbam

The real time web blocker can be tested by going to – http://iptest.malwarebytes.org/ - on the endpoint.

These are not real virus's but are defined as threats and will show up if the scan hits them.

 

Please let us know if your scanner is able to catch these

 

Many Thanks

 

Share this post


Link to post
Share on other sites

I'm testing on several workstations: Win XP, Win 7, and Win 10.

All three blocked going to iptest.malwarebytes.org, and it gets reported in the cloud interface.

The zipped tools thru me off a little. At first I was just getting a Windows error trying to extract. But that was because of the password. I was then able to extract using WinZip and that password you mentioned.

After extracting, running the test-trojan and test-pup resulted in them being closed and quarantined.  mbae-test was closed when clicking the exploit button.

So, that's what I wanted. Something to prove the Endpoint Protection was correctly installed and working.

Share this post


Link to post
Share on other sites

Sounds like we have those machines properly secured and the real-time protection features are working as expected!

 

 

 

Edited by KDawg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.