MBIR/BR test file?

[straffin]

Is there a test file that will be detected by Malwarebytes Incident Response and Breach Remediation so that we can test the software and see what a detection looks like without *actually* installing malware on our systems?  :-)  I've already Googled and searched the forums, but didn't find anything other than the "Malwarebytes Product Testers" zip file (which is designed for Anti-Exploit and doesn't work with Incident Response).

Thanks!

- John

[AndrewPP]

Ask toolbar is an 'Unwanted Program' which will be quarantined upon launch, or if scanned.  It is fairly benign.

https://ask-com-toolbar.en.softonic.com/

 

[straffin]

Hrm... I'm not thrilled about giving Softonic my Facebook or Google info to get it from *their* servers and their direct link to Ask's servers is dead. Any other sources (or files)?

[straffin]

Found another source via a rather entertaining reddit:

 http://ak.pipoffers.apnpartners.com/static/partners//DEMOTB/AskToolbar.exe

 

(From 

https://www.reddit.com/r/sysadmin/comments/3io9p0/how_hard_is_it_to_get_an_installer_for_ask_toolbar/

)

Edited January 18, 2019 by AdvancedSetup
Removed live hyperlinks

[straffin]

Hrm...any thoughts on Malwarebytes Incident Response finding and quarantining the Ask Toolbar installer (AskToolbar.exe) but not touching an extracted copy of the OCDLL.dll from inside? Will the software not remove the OCDLL.dll if it's actually installed? O_O

(I mean, I can fire up a disposable VM, actually install the toolbar, and then scan it, but you'd think if it'll find the DLL once installed, it would also find it extracted. No?)

[AndrewPP]

For an installed threat, Malwarebytes remediation function has a 'linking engine' which finds all related object of a threat and quarantines them, including EXE, DLL, registry settings and files etc.  The Detection result will list all components of a threat which have been quarantined.

If a scan of type Threat or Custom scan-all-local-drives, that the above process would be applied as running processes are checked.  Files on disk should also be found.

 

[stuart_smiles]

would you not use the eicar test file at eicar.org? link:  https://www.eicar.org/?page_id=3950 

[AdvancedSetup]

Hello @stuart_smiles

The following is from our FAQ

 

 

Why doesn’t Malwarebytes detect EICAR?

According to the European Expert Group for IT-Security (EICAR) organization, the EICAR test file is a plain string of ASCII characters which can be opened with a regular text editor. EICAR asserts that antivirus products should detect any file that starts with the EICAR strings, which are the following 68 characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Detecting the EICAR strings doesn’t mean anything in terms of proving a products’ real-world effectiveness against threats. This experiment merely proves that the antivirus product can use a pattern-matching signature and trigger against a DOS file (not a Windows PE file) whose content starts with the above EICAR string.

At Malwarebytes, we employ over 7 different prevention layers. Each layer has a specific objective in terms of disrupting threats at different stages of the attack chain. Most layers are signature-less and are designed to protect against the real-world threats our researchers observe in-the-wild, ensuring Malwarebytes customers are protected against prevalent and relevant threats.

The detection or lack thereof of the EICAR test file is not representative of how our different vector blocking and payload prevention techniques work, both in pre-execution and post-execution phases of the attack. The MBAM engine does not need to deal with scripts because our anti-exploit, web blocking and application behavior engines are much more effective at disrupting script-based malware and exploits without relying on signatures. Most anti-virus products have to rely on signatures to detect and block script malware, which is exactly what you DON'T WANT your antivirus to do. There are many more obfuscation and signature evasion techniques available for script droppers than there are for binary malware. Therefore relying on signatures to detect script droppers or files like the EICAR test file, is actually damaging to your security. The fact that your security product detects EICAR with a signature should be a reason for CONCERN instead of success. Most modern script-based droppers and attacks are obfuscated anyways, so using signatures on scripts (like those signature detections for .JS ransomware droppers regularly found in VT) is largely useless and easily bypassed as compared to other protection approaches like those found in MB3.

An EICAR detection proves that a product is able to use pattern-matching signatures and detect a type of threat that may have been prevalent and relevant over 2 decades ago. According to EICAR, a batch file that reads in another file and displays an “alert” message if it finds the EICAR string would qualify as a virus detection product.

So in summary, MB3 already incorporates world-class, next-generation anti-malware technologies. Our combination of signature-less and rules-based layered approach is far more effective than using AV signatures. Malwarebytes is able to prevent 0-minute threats and attacks without updates, even script-based, file-less, and other advanced attacks. We won’t detect EICAR because EICAR is not representative of either today’s threat environment or security needs.

 

 

Thank you



 

[djacobson]

@straffin, yes we do have such tools. You can use the one attached* for interacting with, and triggering the real time, or leave it somewhere for a scanner to find.

*Linked on Box in new thread.

Another good resource to test that the scanner is looking in certain areas during scheduled scans, is using Spycar. They make a test detection suite for scanner engines - http://www.testmypcsecurity.com/securitytests/all_tests.html#AllTests*

 *Spycar is dead, RIP. ☠️

Edited March 28, 2019 by djacobson
removing attachment, striking dead links.

[AndrewPP]

On this topic, EICAR is actually both a text-readable string and a 16-bit COM/DOS executable with an original purpose to print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" 
It will no longer run on a current Windows operating system.  It is archaic and useless, except to demonstrate string/pattern recognition.
https://en.wikipedia.org/wiki/EICAR_test_file

[straffin]

Some of the Staff responses show a misunderstanding of what exactly I'm looking for. We need to document (and, on occasion, demonstrate) what the software actually looks like while it's working and when it finds something. It's really not important at all if the EICAR file is an effective measure of an anti-virus products efficacy. It was never supposed to be. It's simply a file that triggers a response. If what you're looking to do is see what a valid response looks like (which we are), the EICAR file will generally do the job.

It also appears that the Test_PUP.zip file has been removed. 😞

[straffin]

The Spycar link at TestMyPCSecurity is dead as well. 😕

[djacobson]

Hi @straffin, my bad on the TestPUP, I mistakenly made a no-no and posted it to the thread reply instead of a separate hosting link. Use this link - https://malwarebytes.box.com/s/za0zyzwrdbumesqx8e3eo489edad0no0 -  and I will PM you the passcode.

 

It's also a bummer to learn the Spycar files are gone  but TestPUP will do the job!

Edited March 28, 2019 by djacobson