scripting antivirus signature file updates and ... - av-test · reasons to script updates (i) l...
TRANSCRIPT
Scripting AntiVirus Signature File Updates and Testing
Randy Abrams Andreas MarxMicrosoft Corporation AV-Test GmbHhttpwwwmicrosoftcom httpwwwav-testorg
AVAR 2004 Conference presentation about ldquoScripting AntiVirus Signature File Updates and TestingrdquoCopyright copy 2004 Microsoft Corporation One Microsoft Way Redmond WA 98052-6399 USACopyright copy 2004 AV-Test GmbH Klewitzstr 7 D-39112 Magdeburg Germany
Table of Content
l Reasons to script updatesl Types of update mechanismsl Scripting techniquesl Why test What to testl Sample test scriptsl Conclusion QampA section
Disclaimer
l The examples and code samples in this presentation are provided as is and are only intended for educational purposes and to illustrate concepts
l The code is not suitable for a production environment
l The authors nor their employers AV-Testorg or Microsoft make any representations or warranties about the suitability of these samples for any other purpose
Reasons to Script Updates (I)
l Testing organizations (eg response time tests)l Antivirus vendor virus name and variant
synchronization cross-reference lists (VGrep)l PCs not on the internet (eg for security reasons)l Quality Assurance programs amp Software Release
Services (scan of all incoming and outgoing data)l Ensure newest signatures
Reasons to Script Updates (II)
l Multi-scanner systemsndash Independently developed AV engines have
different good and weak pointsndash Different response times in case of new virus
outbreaksndash Protection level might still be too low for some
critical business cases
Regular Update Releases per Day (I)(x = Date y = Number of Updates)
0
10
20
30
40
50
60
70
80
90
100
2004
-01-
01
2004
-01-
15
2004
-01-
29
2004
-02-
12
2004
-02-
26
2004
-03-
11
2004
-03-
25
2004
-04-
08
2004
-04-
22
2004
-05-
06
2004
-05-
20
2004
-06-
03
2004
-06-
17
2004
-07-
01
2004
-07-
15
2004
-07-
29
2004
-08-
12
2004
-08-
26
Regular Update Releases per Day (II)
l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)
2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)
l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)
2004-02-07 (7) 2004-01-04 (8)
Types of Update Mechanisms
l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)
l Wgetexe handles all
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Table of Content
l Reasons to script updatesl Types of update mechanismsl Scripting techniquesl Why test What to testl Sample test scriptsl Conclusion QampA section
Disclaimer
l The examples and code samples in this presentation are provided as is and are only intended for educational purposes and to illustrate concepts
l The code is not suitable for a production environment
l The authors nor their employers AV-Testorg or Microsoft make any representations or warranties about the suitability of these samples for any other purpose
Reasons to Script Updates (I)
l Testing organizations (eg response time tests)l Antivirus vendor virus name and variant
synchronization cross-reference lists (VGrep)l PCs not on the internet (eg for security reasons)l Quality Assurance programs amp Software Release
Services (scan of all incoming and outgoing data)l Ensure newest signatures
Reasons to Script Updates (II)
l Multi-scanner systemsndash Independently developed AV engines have
different good and weak pointsndash Different response times in case of new virus
outbreaksndash Protection level might still be too low for some
critical business cases
Regular Update Releases per Day (I)(x = Date y = Number of Updates)
0
10
20
30
40
50
60
70
80
90
100
2004
-01-
01
2004
-01-
15
2004
-01-
29
2004
-02-
12
2004
-02-
26
2004
-03-
11
2004
-03-
25
2004
-04-
08
2004
-04-
22
2004
-05-
06
2004
-05-
20
2004
-06-
03
2004
-06-
17
2004
-07-
01
2004
-07-
15
2004
-07-
29
2004
-08-
12
2004
-08-
26
Regular Update Releases per Day (II)
l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)
2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)
l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)
2004-02-07 (7) 2004-01-04 (8)
Types of Update Mechanisms
l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)
l Wgetexe handles all
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Disclaimer
l The examples and code samples in this presentation are provided as is and are only intended for educational purposes and to illustrate concepts
l The code is not suitable for a production environment
l The authors nor their employers AV-Testorg or Microsoft make any representations or warranties about the suitability of these samples for any other purpose
Reasons to Script Updates (I)
l Testing organizations (eg response time tests)l Antivirus vendor virus name and variant
synchronization cross-reference lists (VGrep)l PCs not on the internet (eg for security reasons)l Quality Assurance programs amp Software Release
Services (scan of all incoming and outgoing data)l Ensure newest signatures
Reasons to Script Updates (II)
l Multi-scanner systemsndash Independently developed AV engines have
different good and weak pointsndash Different response times in case of new virus
outbreaksndash Protection level might still be too low for some
critical business cases
Regular Update Releases per Day (I)(x = Date y = Number of Updates)
0
10
20
30
40
50
60
70
80
90
100
2004
-01-
01
2004
-01-
15
2004
-01-
29
2004
-02-
12
2004
-02-
26
2004
-03-
11
2004
-03-
25
2004
-04-
08
2004
-04-
22
2004
-05-
06
2004
-05-
20
2004
-06-
03
2004
-06-
17
2004
-07-
01
2004
-07-
15
2004
-07-
29
2004
-08-
12
2004
-08-
26
Regular Update Releases per Day (II)
l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)
2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)
l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)
2004-02-07 (7) 2004-01-04 (8)
Types of Update Mechanisms
l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)
l Wgetexe handles all
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Reasons to Script Updates (I)
l Testing organizations (eg response time tests)l Antivirus vendor virus name and variant
synchronization cross-reference lists (VGrep)l PCs not on the internet (eg for security reasons)l Quality Assurance programs amp Software Release
Services (scan of all incoming and outgoing data)l Ensure newest signatures
Reasons to Script Updates (II)
l Multi-scanner systemsndash Independently developed AV engines have
different good and weak pointsndash Different response times in case of new virus
outbreaksndash Protection level might still be too low for some
critical business cases
Regular Update Releases per Day (I)(x = Date y = Number of Updates)
0
10
20
30
40
50
60
70
80
90
100
2004
-01-
01
2004
-01-
15
2004
-01-
29
2004
-02-
12
2004
-02-
26
2004
-03-
11
2004
-03-
25
2004
-04-
08
2004
-04-
22
2004
-05-
06
2004
-05-
20
2004
-06-
03
2004
-06-
17
2004
-07-
01
2004
-07-
15
2004
-07-
29
2004
-08-
12
2004
-08-
26
Regular Update Releases per Day (II)
l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)
2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)
l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)
2004-02-07 (7) 2004-01-04 (8)
Types of Update Mechanisms
l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)
l Wgetexe handles all
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Reasons to Script Updates (II)
l Multi-scanner systemsndash Independently developed AV engines have
different good and weak pointsndash Different response times in case of new virus
outbreaksndash Protection level might still be too low for some
critical business cases
Regular Update Releases per Day (I)(x = Date y = Number of Updates)
0
10
20
30
40
50
60
70
80
90
100
2004
-01-
01
2004
-01-
15
2004
-01-
29
2004
-02-
12
2004
-02-
26
2004
-03-
11
2004
-03-
25
2004
-04-
08
2004
-04-
22
2004
-05-
06
2004
-05-
20
2004
-06-
03
2004
-06-
17
2004
-07-
01
2004
-07-
15
2004
-07-
29
2004
-08-
12
2004
-08-
26
Regular Update Releases per Day (II)
l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)
2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)
l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)
2004-02-07 (7) 2004-01-04 (8)
Types of Update Mechanisms
l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)
l Wgetexe handles all
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Regular Update Releases per Day (I)(x = Date y = Number of Updates)
0
10
20
30
40
50
60
70
80
90
100
2004
-01-
01
2004
-01-
15
2004
-01-
29
2004
-02-
12
2004
-02-
26
2004
-03-
11
2004
-03-
25
2004
-04-
08
2004
-04-
22
2004
-05-
06
2004
-05-
20
2004
-06-
03
2004
-06-
17
2004
-07-
01
2004
-07-
15
2004
-07-
29
2004
-08-
12
2004
-08-
26
Regular Update Releases per Day (II)
l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)
2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)
l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)
2004-02-07 (7) 2004-01-04 (8)
Types of Update Mechanisms
l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)
l Wgetexe handles all
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Regular Update Releases per Day (II)
l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)
2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)
l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)
2004-02-07 (7) 2004-01-04 (8)
Types of Update Mechanisms
l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)
l Wgetexe handles all
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Types of Update Mechanisms
l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)
l Wgetexe handles all
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
l Filename determinationl Creating unique filenames for archivingl Determining required files
l Text parsingl Environment variable parsingl Subroutines
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)
Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37
mydatemytime= 2004-11-25-09_35_37
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo
wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version
readmetxt) do(if not exist dat-izip wget
ftpftpnaicompubdatfilesenglishdatizip)
dat-izip= dat-4297zip
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-
avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp
exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
Only take what you need Kaspersky example
l Download file with digital signaturesl Determine which files are requiredl Download required files
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)
Using Subroutines (avpklb contains digital signatures)
call Get_File avpklb
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1
gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360
ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1
downloadgtgtckavupdatedownload_problemtxtgoto finalsteps
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that
look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9
UuOmxXyKkBjNdD+844509092004
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Scripting Techniques for CMDEXE
for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)
do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto
eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Why Test
l Update files can be faulty especially in case of beta definitions
ndash Corrupted virus signatures (eg broken archives interrupted downloads)
ndash Download of old signatures due to problems with the synchronization
ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)
l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
What to Test
l Different checks are useful to find possible bad updates
ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using
digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be
taken from the report file)ndash Is the scanner able to find Eicar test file under the usual
name and does the scanner sets the correct exit code
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Testing Considerations
l Advanced testing methods with a limited number of live viruses (might not be required in every case)
ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)
ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)
ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be
found much easier
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Sample Test Script (I)
wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog
ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog
ctestdirty
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Sample Test Script (II)
If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log
ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem
gtgtcscannerslogsMcafee_Updatelog
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Conclusion
l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments
l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early
l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)
Questions
l Are there any questions
Questions
l Are there any questions