Symantec now includes four key anti-malware protection technologies, File-Based Protection, Network-Based Protection, Behavior-Based Protection and Reputation-Based Protection in the Norton 2011 and Symantec Endpoint Protection 12.1 products. How to validate if the protection technology is enabled, and what do the corresponding alerts look like?
How the detections for cloudcar and socar appear in the SEP "Threat log".
File-Based Detection Testing and Validation:
Symantec’s File-Based protection includes multiple protection engines including the file-based antivirus engine, our Malheur engine and our Bloodhound technology. To trigger an alert with the antivirus engine, use the EICAR file mentioned below.
The standard for testing file-based anti-virus is called EICAR (European Institute for Computer Antivirus Research). This file is not malicious and is the agreed upon string and file for testing across many anti-virus vendors. The file for testing File-Based anti-virus can be downloaded from the EICAR website here. There is a .txt file as well as versions embedded in a .zip archive (one level and multiple levels deep). Symantec's Testing a Virus and Spyware Protection policy offers exact steps on how to use EICAR to test AV.
Network-Based Protection Testing and Validation:
Symantec’s Network-Based Protection is a set of technologies designed to block malicious attacks before they have a chance to introduce malware onto a system. Unlike file-based protection which must wait until a file is physically created on a user’s computer, network-based protection starts to analyze the incoming data streams that arrive onto a user’s machine via network connections. There are three primary engines:
Network IPS Engine
Browser Protection Engine
To validate that the IPS engine or Browser Protection is working, you need to actually exploit an underlying vulnerability in the Operating System or Browser. There are two ways to test the IPS and Browser Protection engines. For maximum alerts and notification, it helps to have a vulnerable browser, plug-ins and operating system. You can either use a program such as Metasploit, Core Impact, or Immunity Sec’s Canvas to actually exploit the underlying operating system, browser and third-party application vulnerabilities, or you can use a “Browser Check” webpage called the Browser Security Check from scanit.biz. (Please note that the browser check has unfortunately been discontinued.) Symantec has no affiliation with this website, and takes no responsibility for any effects resulting from visiting this site or using the tools it offers. The website warns you that your system and browsers may crash during testing since the website actually exploits vulnerabilities but does not deliver a malicious payload.
Using a test tool like Metasploit, Core Impact, or Canvas to test your IPS and Browser protection solutions is the most effective at mimicking a real attack similar to a web attack toolkit. When running tests, it is recommended to use a virtual environment so you can roll-back tests easily. Setup server-side exploits (tests to exploit the MS-RPC and LSASS services) to exploit the operating system and also setup the client-side tests where an actual webserver is running and you will navigate the endpoint under test to the URL to exploit a vulnerability in the browser or browser plug-in.
Note: Running an NMAP scan or a Nessus Vulnerability scan does NOT do anything malicious and will not trigger the IPS or Browser protection engines – even when set to exclude “Safe” checks.
You can use nmap -A to scan a computer and it will create post scan alert for NTP (Network Threat Protection - firwewall ) component.
UXP stands for Un-Authorized Download Protection Within the Network-based protection layer, this last line of defense helps mitigate unknown and unpatched vulnerabilities, without the use of signatures, providing a further layer of insurance against zero-day attacks.
Behavioral-Based Protection Testing and Validation:
Symantec’s Behavioral-Based Protection technology provides an effective and non-invasive protection from previously unseen zero-day computer threats. The Symantec Online Network for Advanced Response (SONAR) is the main engine of our behavior-based technology and features: a classification engine based in artificial intelligence, human-authored behavioral signatures, and a behavioral policy lockdown engine. Together these components combine to provide industry-leading security protection against threats that are most often social engineered and targeted attacks. The latest version of this technology is called our Sonar 3 technology.
To test the Sonar 3 technology and see an alert from the Sonar 3 technology, you can unpack the socar.zip file (similar to sonar eicar, password is “infected”) and launch the non-malicious “SOCAR.EXE” executable. You should see an alert with the title “SONAR has removed the security risk socar.exe Your computer is secure.” You can then view details to see “A program was behaving suspiciously on your computer. This program was blocked and removed”.
Reputation-Based Protection Testing and Validation:
Symantec’s Reputation-Based Protection technology is the newest addition to the suite of protection technologies developed by STAR. Reputation-based security, addresses the latest development in the threat landscape, that of micro-distributed malware. Using the combined wisdom of over 130 million contributing users, our reputation system learns which applications are good and bad based on the anonymous adoption patterns of our users. It then uses this intelligence to automatically classify virtually every software file on the planet. This reputation data is utilized by all of Symantec's products to automatically block new malware and, conversely, to identify and allow new legitimate applications.
To test the Reputation technology, you can first test without the cloud/Reputation technology to confirm that no detections will occur. Open the non-malicious cloudcar.zip (similar to cloud eicar). Unzip to get the Cloudcar.exe (password is symantec) file. Disconnect the system from the internet and then right-click on the “File Insight” menu. No “bad” reputation will be detected. Reconnect the internet connection. While connected to the internet and our Reputation cloud technology, right-click on the file and select “File Insight”. The reputation of this file will be “Bad – There are indications that this file is untrustworthy”.