Hands-on Project 3 - 2 (Practical 4)

Objectives: Test AV Software

Antivirus software is important yet free AV products may not offer the best protection. In this session, we will download a virus test file to determine how the AV software reacts. The file downloaded is not a virus but is designed to appear to an antivirus scanner as if it were a virus. We will need to have antivirus software installed on our computer to perform this session.

1) Check the antivirus settings on your computer. Click Start, click Control Panel, click Security, and then click Security Center.

2) The virus protection setting should be On. If it is not, click the Recommendations button and indicate that you want Windows to monitor the AV software.

3) Close all windows.

4) Open your Web browser and enter the URL www.eicar.org/anti_virus_test_file.htm.

5) Read the “Anti-virus or Anti-Malware test file” information carefully. The file you will download is not a virus but is designed to appear to an antivirus scanner as if it was a virus.

6) Click the file eicar.com, which contains a fake virus. A dialog box will open and ask if you want to download the file. Wait to see what happens. What does your antivirus software do? Close your antivirus message and click Cancel to stop the download procedure.

As you can see, the antivirus software help to Auto-Protect scan any file that is going to be downloaded for viruses and protect our computer by deleting the file straight away if the antivirus software detect viruses.

7) Now click eicar_com.zip. This file contains a fake virus inside a compressed (ZIP) file. What happened?

Our antivirus software is not able to detect the eicar_com.zip file for any viruses because the file is being compressed.

8) If your antivirus software did not prevent you from accessing the eicar_com.zip file, and when the File Download dialog box appears, click Save and download the file to your desktop or another location you want.

9) When the download is complete, click Close, if necessary.

10) Right-click point to the Start button and then click Explore.

11) In Windows Explorer navigate to the folder that contains the eicar_com.zip file.

12) Right-click the file eicar_com.zip and then click Scan for viruses on the shortcut menu (your menu command might be slightly different). What happened now?

As you can see, our antivirus software start to scan the 2 files in the eicar_com.zip file for viruses. The antivirus software found 1 risk. After that, the antivirus software deletes one file from eicar_com.zip and left the other file unchanged.

13) Return to the Web site and this time click eicarcom2.zip. This file has a double-compressed ZIP file with a fake virus. What happened?

Our antivirus software is not able to detect the eicarcom2.zip file for any viruses because the file is being double-compressed.

14) If your antivirus software did not prevent you from accessing the eicarcom2.zip file, and when the File Download dialog box appears, click Save and download the file to your desktop or another location you want.

15) When the download is complete, click Close, if necessary.

16) Return to Windows Explorer.

17) In Windows Explorer, navigate to the folder that contains the eicarcom2.zip file.

18) Right-click the file eicarcom2.zip and then click Scan for viruses on the shortcut menu (your menu command might be slightly different). What happened now?

As you can see, our antivirus software start to scan the 3 files in the eicarcom2.zip file for viruses. The antivirus software found 1 risk. After that the antivirus software deletes one file from eicarcom2.zip and left the other file unchanged.

19) Erase both files from your hard drive.

20) Close all windows.

Reflections
After doing this practical, I finally know that how the antivirus software reacts to different types of files. If the file is not compressed, the antivirus software will start to scan the file for viruses. However, when the file is compressed, the antivirus software will not be able to scan the file and we have to scan the file for viruses by ourselves. Thus, in future, I will download file that are not compressed so that my antivirus software will be able to scan the file.

Hands-on Project 2 - 1 (Practical 3)

Objectives: Scan for Rootkits Using RootkitRevealer

To help detect the presence of a rootkit, we will need to download and install Microsoft’s RootkitRevealer tool.

1) Open your Web browser and enter the URL www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx.

2) Scroll to the bottom of the page and click on Download RootkitRevealer (231 KB). When the File Download dialog box appears, click Save and download the file to your desktop or another location you want.

3) When the download is complete, click Open to open the compressed (.ZIP) file.

4) Click Extract all files to launch the Extraction Wizard. Follow the steps in the wizard to extract all files to your desktop or another location you want.

5) Navigate to the location where the files were extracted and start the program by double-clicking on RootkitRevealer.exe. If you receive an Open File – Security Warning dialog box, click Run. Click Agree to the RootkitRevealer License Agreements.

6) The RootkitRevealer screen will appear.

7) Click File and then Scan to begin a scan of the computer for a rootkit.

8) When completed, RootkitRevelear will display discrepancies between the Windows registry keys (which are not always visible to specific types of scans) and other parts of the registry. Any discrepancies that are found do not necessarily indicate that a rootkit was detected.

Results:

9) Close RootkitRevealer and all windows.

Reflections
From what I know, rootkit is a set of software tools used by an intruder to break into a computer, obtain special privileges to perform unauthorized functions, and hide all traces of its existence. Thus it will be dangerous if our computer contain rootkit. Hence, I find that the RootkitReavealer is very useful to me as it help me to reveal the rootkits in my computer so that I can remove them.

Hands-on Project 1 – 3 (Practical 2)

Objectives: Inspect for Insecure Versions of Applications using Secunia Software Inspector

It is critical that security updates be applied in order that computer systems remain secure. Unpatched application software programs are increasingly becoming the target of attackers. Although Microsoft has developed a process through which users are notified of security updates each month, most other software vendors do not have this feature and many applications are unpatched.

One solution is to use an online software scanner that will compare all applications on your computer with a list of known patches from software vendors. The online software scanner can alert you to any applications that are not properly patched.

Hence, we will use Secunia’s Software Inspector to identify any applications that need to be patched.

1) Open your Web Browser and enter the URL secunia.com/software_inspector.

2) Click View detailed list of applications to see all the programs that Software Inspector will scan.

3) Click your browser’s Back button to return to the previous page.

4) Click Start Scanner and accept any default warnings.

5) Check the box Enable through system inspection. This will allow Software Inspector to search for applications that are not stored in their default locations.

6) Click Start.

7) Software Inspector will begin its scan. Depending on the number of applications that are on your computer, the scan may take several minutes to complete, although it will begin displaying information as it completes applications.

8) When Software Inspector has finished it will display a dialog box stating that the scan is complete. Click OK. If you are prompted to sign up for a service, decline the offer.

9) A list of the applications that have been scanned will be displayed. Click on the + next to the application name to display further information.

10) Click the links to access the updates to secure these applications.

11) Close all windows.

Reflections
I find that the Secunia’s Software Inspector is very helpful as it help to scan for any applications that are unpatched or not properly patched. Thus this quicken the pace for updates instead of waiting for Microsoft to inform me those available updates each month. Also, my computer systems will be secured with these updates and will not be so vulnerable to attacks by the attackers.