BGINFO - A Posh Recreation
Recently I have been building a lot of Windows Servers in different environments - one
Grumpy Admin, is super grumpy today – he didn’t sleep well and coming to work on a Monday morning, makes me grumpy and sad! Doesn’t that make you grumpy and sad as well? So don’t expect my productivity from this camp today!
The last couple of days, have been a trying time. I decided to do an IT security audit on a selection of our company servers. I should never have gone looking for issues, as I have made a boat load of work for myself in remediation work! Meh!
Now don’t laugh as I share this information with you, but the antivirus product that we have deployed on our server infrastructure is “Microsoft System Centre Endpoint Protection.
I know, I can hear you laughing from here! We all know it not the best product, but as a small shop. It will have to do as it is free for us to use!
Well as part of my little audit, I had to test to make sure the AV can detect a malware/virus pattern and that the correct reporting and remediation happens. There are lots of them out there, to test with. You can just download them and wham you AV will pick it up.
However, how do you download it? Most browsers these days will prevent it from being downloaded. Which is a good thing. Defence in Depth and all that Info Sec marketing blah blah blah! But I actually want it downloaded so that I can actually test in a controlled manner!
So the easiest way I found of getting a safe virus pattern on your machine to test, is to create the thing yourself!
So I copy and past the pattern from the internet and paste it into notepad and then save that down with either a exe or a com file extension.
Below is the EICAR test string that I use to test the alerting features of antivirus products!
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
URL Link : http://www.eicar.org/86-0-Intended-use.html
Your real time virus program should detect this pattern right away as soon as you save it.Try saving on network shares, and servers you want it to test the alerting of. 
This sort of thing, is quite often a step found in factory acceptance testing and other commissioning work. But is also good for an admin to test the implementation of your AV alerting system.While it doesn’t say anything about how good the AV product you are using is… Endpoint Protection is umm shocking bad according to all the reviews as we know it a good string to have somewhere in your tool box. As you can see it proved my alerting process in System Centre Configuration Manager worked!
Hazzy