Test Your Antivirus Software
Is your AV software doing its job? A batch file automates an AV checkup.
October 9, 2005
Antivirus software has become so simple to install, so efficient, and so dependable that we take it for granted. We install the virus-scanning software of our choice, add the newest scanning engine and signature file, and enable Automatic Updates. It's easy to adopt a "set it and forget it" attitude about this important software.
But how do you know that your virus scanning is really working as advertised? What if an administrator stops the virus-scanning service and neglects to restart it? What if a new virus comes in under the radar screen and disables virus scanning as part of its payload agenda? What if your antivirus software is configured incorrectly or has been removed altogether? Any of these hypothetical scenarios could be serious indeed and expose your corporate environment to the risk of infection.
New developments in the world of storage and the presentation of data add more complexity to antivirus protection. If you use Microsoft Dfs, you might have multiple servers' resources displayed in one hierarchical tree. If virus scanning is degraded on one server node, the tree will contain virus-protected folders mixed in with the unprotected folders that physically reside on the degraded node. Also, if you use a storage device that depends on separate Windows nodes for virus scanning, you could have a protection failure that isn't immediately evident.
You can test whether your antivirus service is running by checking the service state with the Netsvc tool in theWindows 2000 Server Resource Kit, you can examine the dates of the virus-definition files in the registry by using Reg, and you can perform a number of other peripheral tests to check up on your antivirus service. But the most base-level test of your antivirus software's effectiveness would be to attempt to copy a file infected with a known virus signature to a node and then execute it. If the attempt is successful, you have a problem that needs further investigation on that node. An operational antivirus product should prevent the copy operation or at least stop the file's execution.
The EICARtest.bat script, which Listing 1 shows, copies a simulated infected file to specified nodes and logs the results. On one hand, if you run this test on the file servers in your environment and everything checks out, you can be confident that all is well, just as you thought it was. On the other hand, you might be surprised to find that you have one or more nodes that have been letting viruses slip through the cracks.
The EICARtest Script
EICARtest creates the simulated infected file, EICAR.com, so you don't need to download it. For more information about the European Institute for Computer Anti-Virus Research (EICAR) and its test file, see the sidebar "The EICAR.com File," page 7. If you do decide to download the file for informational purposes, you'll likely experience some difficulty because of antivirus scanning on your PC. That's why the Web download page for the file offers the file in four formats, including double-zipped and .txt. Likewise, if you copy and paste the EICAR.com character string into a file and try to save it, your antivirus software might detect these efforts as a "virus-infection incident" and promptly delete the file, even if you change the filename or extension.
You might be wondering how a script can copy the EICAR.com file to a test location without setting off the antivirus software on the script-executing node. Well, EICARtest uses a couple of tricks to echo the test string to a file, as callout A in Listing 1 shows. The code stores the character string in two variables, shuts down virus scanning on the testing node for the few seconds that the script runs, then restarts virus scanning. Note that the EICAR.com test string contains two reserved characters, the caret (^) and the percent sign (%). These characters won't echo to a file correctly unless % is changed to %% and ^ is changed to ^^.
The EICARtest script performs three preliminary and three EICAR.com-related tests on each of the file shares that you specify in an input file. If a test is successful, the script proceeds to the next test. If a test fails, the script skips the remaining tests and echoes a line to the output file that shows the failure.
Test 1 (callout B) uses a simple If Exist statement to check whether the node and share location are accessible and actually exist. Test 2 (callout C) echoes a test file to the location to check whether the script (if running as a scheduled task) or the operator running the script (if run interactively) has the necessary permissions to copy a file to the share location. Note that the script uses a double occurrence of the hidden environment variable %RANDOM% to generate a random filename for this write test.
Test 3 (callout D) checks whether the script can delete the test file. The target location could allow file copies but not deletions. The script tests for that situation because it could cause confusion later when the script tries to delete the EICAR.com file.
Test 4 (callout E) copies the EICAR.com file to the target location, then uses an If Exist statement to check whether the file is there. Some antivirus software will allow the copy and then promptly delete or move the file into quarantine. If the file doesn't exist at the target location after the script has copied it there, the script ends successfully.
Test 5 (callout F) checks whether the EICAR.com file can be executed at the target location. If the antivirus software allows the file copy operation, the script checks whether the copied file can be executed. If execution is allowed, the output file indicates that you need to investigate whether your antivirus software is functioning correctly. If the execution is blocked, the script records that in the output file.
Test 6 (callout G) tries to delete the EICAR.com file at the target location. Some antivirus software will block that deletion because the file has been quarantined or locked. You might need to use the antivirus software interface on that node to manually delete the file. Or you might need to disable the virus-scanning software for a moment to allow deletion of the file.
Note: Most server antivirus-scanning packages offer a number of configuration options that let you control whether to scan for inbound or outbound files or both and dictate the actions that the antivirus software should take when it detects an infected file. You might see a variety of behaviors when EICARtest tries to copy EICAR.com to your test target nodes. If you've configured the software to notify you about an infected file, you'll receive a Net Send warning message. The antivirus software might allow you to copy EICAR.com to the target share location, but then you might find it "locked" so that the script can't copy or execute it. Even if you find that your servers are all well protected, running the EICARtest script will give you a better understanding of how the configuration options you've chosen actually work in an infection situation.
Using EICARtest
I tested the EICARtest script on PCs with Windows XP Service Pack 1 (SP1) and SP2 and McAfee VirusScan 8.0.0. To get the EICARtest script working in your environment, perform the following steps:
Download the script from the Windows Scripting Solutions Web site. Go to http://www.windowsitpro.com/windowsscripting, enter 47894 in the InstantDoc ID text box, then click the 47894.zip hotlink.
Configure the script with the location of an input file that contains the paths to the shares that you want to test (one path per line), as follows:
\serverashare1\serverbshare2\servercshare3
Configure the location of the output file. The results of each test will be recorded and followed by a tab. You can open the output file in Notepad or Microsoft Excel.
Configure the script to point to the service that runs your local antivirus scanning application. If the script can't disable the service, the copy of EICAR.com to the target node will fail.
Run the script against a small handful of nodes to test its operation. Confirm that the script is restarting the antivirus service correctly.
Your antivirus software might lock the EICAR.com file in quarantine on the target nodes and you might need to manually remove it from the nodes. This is an important reason to test the script on a few test nodes before you consider a large-scale test run.
A pop-up warning might appear on your target nodes' console when the script attempts to copy EICAR.com to the nodes. Be sure to notify any server administrators that could be logged on locally to the nodes about your testing so that they won't be alarmed by the warning.
Determine whether you want to disable the Messenger service to prevent a flood of error messages to the node on which you're running the script. Suppressing verbose screen output is commented out by default, but you can remove the comment character, if appropriate.
If you're having difficulty diagnosing unusual virus behaviors, try checking the antivirus application log file on the target node to see how your antivirus software is handling the incidents.
The EICARtest script gives you another scripted tool for your testing arsenal. It also demonstrates how to develop a sequenced test script, how to create a file from character strings in a variable, how to stop and start services, and how to create a spreadsheet report with the results. Ideally, this script should help you determine whether your antivirus software is working correctly and give you insights into and confidence in your antivirus software configuration.
About the Author
You May Also Like