Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 4519 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Generating Test Alerts

sTv

Hi All,

I am trying to generate a couple of Sophos alerts for testing purposes and having real trouble making them happen!

We are monitoring the Windows event log (in this case Windows XP) and setting alerts for certain items in our system monitoring tool.  Generating virus alerts is easy using the supplied tool but does anyone know how to generate a "Suspicious Behavior" alert or a "Corrupt file found" warning?

For the corrupt file I have tried various ways of corrupting a file - changing the extension, modifying bits in the middle of the file and so on, Windows / Word / whatever report it is corrupt but Sophos always manages to successfully scan it.

A lot of searching and asking around has yet to find anything that works - any ideas or is the only thing people test the AV alert?

Thanks

sTv

:35407


This thread was automatically locked due to age.
  • 0

    Hi,

    Eicar is the main test file:
    http://www.eicar.org/85-0-Download.html

    to enerate a Virus alert. 

    C:\sec_51\tools\savtst32.exe is a small exe that drops the file and is provided by the SEC installer but it's as easy to donwload it.

    To test other alerts, some of the Sysinternals tools are good, e.g. utilities as part of PsTools.

    Regards,

    Jak

    :35413
  • 0

    Hi Jak,

    Thanks for the response and the information.  I'll have a look at the Sysinternal tools to see what I can achieve.  Similar tools have generated the Suspicious file alerts rather than Suspicious behavior.  I was hoping someone would know how to generate these events but it isn't looking hopeful.

    Will keep on plugging away... :smileyhappy:

    Regards

    -Steve

    :35479
  • 0

    HI Steve,

    I found a way of creating a Sus-B alert.

    1. download an instal AutoIt: 

     http://www.autoitscript.com/site/autoit/downloads/

    2. Create a new script file (test.au3 for example) and paste the following in

    Local $key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"
Local $val = "DisableNotifications"
Local $var = RegRead($key, $val)
MsgBox(4096, "Sus-B Test", $key & ": " & $var)
RegWrite($key, $val, "REG_DWORD" , $var)

    3. Build an exe "Tools - Build" and run it.

    4. SAV should alert to it as: HIPS/RegMod--008.

    The script just reads the reg value and writes back the same value so it doesn't change anything.

    Regards,

    Jak

    :35483
  • 0

    Hi Jak,

    That's great - I will give that a go.

    Many thanks

    -Steve

    :35497
  • 0

    Hi Jak,

    That code worked a treat.  :smileyhappy:

    It had a bit of a problem generating an alert to start with so I change the last line to actually make a change to the registry and that generated an alert.  I changed the code back and it has worked 100% since.

    Thanks again

    -Steve

    :35501
  • 0

    In case anyone looks for how to do this in the future.

    I managed to generate a corrupt file alert as well.

    To do this get the autoit utility Jak mentioned earlier and install it.

    Create a Windows PowerPoint presentation called corruptfile.ppt (so in the older .ppt format)

    Rename the file from .ppt to .au3

    Right click and edit the file in autoit.

    Remove some of the symbols and NUL special characters from the file.  Add in @ symbols, text characters etc in random places (not among any text that may be part of your presentation!)

    Save the file.

    Rename it back to .ppt

    RIght click and scan with Sophos AV to generate an event in the Application Event Log stating the file was corrupt.

    Thanks Jak - you solved both issues!

    :35509