obscuresec: Test Antivirus with EICAR and PowerShell

Typically, penetration testers are able to demonstrate a complete compromise of their customer's systems without flagging antivirus products. There are many methods of bypassing antivirus that can be used, but sometimes customers begin to wonder if their AV is working at all. The EICAR test file is an innocuous file that was created for that exact problem.

The EICAR test file can be download from here, but it is also trivial to generate yourself. New-Eicar is a PowerShell function that can be used to ensure that your antivirus is properly flagging new files. Originally, I wanted to create a script that would generate the eicar.com file and then wait for it to be deleted. Unfortunately, testing the script resulted in different results based on the different product responses and the product's settings. So I settled on just generating the file and letting the AV product alert (like this):

Here is the code, but the maintained version will be on github:

New-Eicar Function

function New-Eicar {
<#
.SYNOPSIS
 
    New-Eicar
       
    Author: Chris Campbell (@obscuresec)
    License: BSD 3-Clause
    
.DESCRIPTION

    A function that generates the EICAR string to test ondemand scanning of antivirus products.

.PARAMETER $Path

    Specifies the path to write the eicar file to.

.EXAMPLE

    PS C:\> New-Eicar -Path c:\test 

.NOTES

    During testing, several AV products caused the script to hang, but it always completed after a few minutes.

.LINK

    http://obscuresec.com/2013/01/New-Eicar.html
    https://github.com/obscuresec/random/blob/master/New-Eicar
    
#>
    [CmdletBinding()] Param(
        [ValidateScript({Test-Path $_ -PathType 'Container'})] 
        [string] 
        $Path = "$env:temp\"
        )            
            [string] $FilePath = (Join-Path $Path eicar.com)
            #Base64 of Eicar string
            [string] $EncodedEicar = 'WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo='

            If (!(Test-Path -Path $FilePath)) {

                Try {
                    [byte[]] $EicarBytes = [System.Convert]::FromBase64String($EncodedEicar)
                    [string] $Eicar = [System.Text.Encoding]::UTF8.GetString($EicarBytes)
                    Set-Content -Value $Eicar -Encoding ascii -Path $FilePath -Force 
                }

                Catch {
                    Write-Warning "Eicar.com file couldn't be created. Either permissions or AV prevented file creation."
                }
            }
            
            Else {
                Write-Warning "Eicar.com already exists!"
            }

}

Running it on a machine with AV should result in this:

Let me know if you have any questions or improvement suggestions!

-Chris

Thursday, January 10, 2013

Test Antivirus with EICAR and PowerShell

No comments:

Post a Comment