RE: virus product pentest

From: Aleksander P. Czarnowski (alekc@avet.com.pl)
Date: Sun Sep 12 2004 - 15:30:34 EDT

• Next message: Debasis Mohanty: "RE: virus product pentest"
• Previous message: Nicolas Montoza: "Re: Achilles proxy for linux"
• In reply to: 4secure@web.de: "virus product pentest"
• Next in thread: Debasis Mohanty: "RE: virus product pentest"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,
I don't see any point of testing a common AV package against malware from wildlist because such testing is already performed on monthly basis in several safe labs due to certification scheme like VirusBulletin 100% for example. Secondly you can not provide a safe environment during pen-testing your customer systems so you brake fundamental security rules. You could download some virus collection that is floating around internet but keep in mind that to call a code a virus or worm it must replicate. So before judging that particular object is infected you need to replicate the samples. This requires again a safe lab without any external connections to networks. This is just a tip of an iceberg in terms of problems and issues related with using real malware. I am fully against such testing.

You should also consider legal issue of such actions and possibility of malware escape which in turn will bring more legal actions and consideration.

The things you should at least check:
1. is there on-access scanner enable
2. is av system multilayered
3. what is the policy regarding removable media
4. how email is protected/scanned
5. how quarantines servers are setup and are they properly secured
6. how patch-management policy is implemented

Please note that this list forms rather a checklist for an audit not pen-test.

At the end: do not use real malware if you do not know how to handle it and/or you don't have safe environment.
Best Regards,
Aleksander Czarnowski
AVET INS

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Debasis Mohanty: "RE: virus product pentest"
• Previous message: Nicolas Montoza: "Re: Achilles proxy for linux"
• In reply to: 4secure@web.de: "virus product pentest"
• Next in thread: Debasis Mohanty: "RE: virus product pentest"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT