Thursday, January 10, 2013

Test Antivirus with EICAR and PowerShell

Typically, penetration testers are able to demonstrate a complete compromise of their customer's systems without flagging antivirus products. There are many methods of bypassing antivirus that can be used, but sometimes customers begin to wonder if their AV is working at all. The EICAR test file is an innocuous file that was created for that exact problem.

The EICAR test file can be download from here, but it is also trivial to generate yourself. New-Eicar is a PowerShell function that can be used to ensure that your antivirus is properly flagging new files. Originally, I wanted to create a script that would generate the file and then wait for it to be deleted. Unfortunately, testing the script resulted in different results based on the different product responses and the product's settings. So I settled on just generating the file and letting the AV product alert (like this):

Here is the code, but the maintained version will be on github:

New-Eicar Function     

Running it on a machine with AV should result in this:

Let me know if you have any questions or improvement suggestions!


No comments:

Post a Comment