Scripting AntiVirus Signature File Updates and Testing

Randy Abrams Andreas MarxMicrosoft Corporation AV-Test GmbHhttpwwwmicrosoftcom httpwwwav-testorg

AVAR 2004 Conference presentation about ldquoScripting AntiVirus Signature File Updates and TestingrdquoCopyright copy 2004 Microsoft Corporation One Microsoft Way Redmond WA 98052-6399 USACopyright copy 2004 AV-Test GmbH Klewitzstr 7 D-39112 Magdeburg Germany

Table of Content

l Reasons to script updatesl Types of update mechanismsl Scripting techniquesl Why test What to testl Sample test scriptsl Conclusion QampA section

Disclaimer

l The examples and code samples in this presentation are provided as is and are only intended for educational purposes and to illustrate concepts

l The code is not suitable for a production environment

l The authors nor their employers AV-Testorg or Microsoft make any representations or warranties about the suitability of these samples for any other purpose

Reasons to Script Updates (I)

l Testing organizations (eg response time tests)l Antivirus vendor virus name and variant

synchronization cross-reference lists (VGrep)l PCs not on the internet (eg for security reasons)l Quality Assurance programs amp Software Release

Services (scan of all incoming and outgoing data)l Ensure newest signatures

Reasons to Script Updates (II)

l Multi-scanner systemsndash Independently developed AV engines have

different good and weak pointsndash Different response times in case of new virus

outbreaksndash Protection level might still be too low for some

critical business cases

Regular Update Releases per Day (I)(x = Date y = Number of Updates)

0

10

20

30

40

50

60

70

80

90

100

2004

-01-

01

2004

-01-

15

2004

-01-

29

2004

-02-

12

2004

-02-

26

2004

-03-

11

2004

-03-

25

2004

-04-

08

2004

-04-

22

2004

-05-

06

2004

-05-

20

2004

-06-

03

2004

-06-

17

2004

-07-

01

2004

-07-

15

2004

-07-

29

2004

-08-

12

2004

-08-

26

Regular Update Releases per Day (II)

l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)

2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)

l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)

2004-02-07 (7) 2004-01-04 (8)

Types of Update Mechanisms

l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)

l Wgetexe handles all

Scripting Techniques for CMDEXE

l Filename determinationl Creating unique filenames for archivingl Determining required files

l Text parsingl Environment variable parsingl Subroutines

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Disclaimer

l The examples and code samples in this presentation are provided as is and are only intended for educational purposes and to illustrate concepts

l The code is not suitable for a production environment

l The authors nor their employers AV-Testorg or Microsoft make any representations or warranties about the suitability of these samples for any other purpose

Reasons to Script Updates (I)

l Testing organizations (eg response time tests)l Antivirus vendor virus name and variant

synchronization cross-reference lists (VGrep)l PCs not on the internet (eg for security reasons)l Quality Assurance programs amp Software Release

Services (scan of all incoming and outgoing data)l Ensure newest signatures

Reasons to Script Updates (II)

l Multi-scanner systemsndash Independently developed AV engines have

different good and weak pointsndash Different response times in case of new virus

outbreaksndash Protection level might still be too low for some

critical business cases

Regular Update Releases per Day (I)(x = Date y = Number of Updates)

0

10

20

30

40

50

60

70

80

90

100

2004

-01-

01

2004

-01-

15

2004

-01-

29

2004

-02-

12

2004

-02-

26

2004

-03-

11

2004

-03-

25

2004

-04-

08

2004

-04-

22

2004

-05-

06

2004

-05-

20

2004

-06-

03

2004

-06-

17

2004

-07-

01

2004

-07-

15

2004

-07-

29

2004

-08-

12

2004

-08-

26

Regular Update Releases per Day (II)

l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)

2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)

l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)

2004-02-07 (7) 2004-01-04 (8)

Types of Update Mechanisms

l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)

l Wgetexe handles all

Scripting Techniques for CMDEXE

l Filename determinationl Creating unique filenames for archivingl Determining required files

l Text parsingl Environment variable parsingl Subroutines

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Reasons to Script Updates (I)

l Testing organizations (eg response time tests)l Antivirus vendor virus name and variant

synchronization cross-reference lists (VGrep)l PCs not on the internet (eg for security reasons)l Quality Assurance programs amp Software Release

Services (scan of all incoming and outgoing data)l Ensure newest signatures

Reasons to Script Updates (II)

l Multi-scanner systemsndash Independently developed AV engines have

different good and weak pointsndash Different response times in case of new virus

outbreaksndash Protection level might still be too low for some

critical business cases

Regular Update Releases per Day (I)(x = Date y = Number of Updates)

0

10

20

30

40

50

60

70

80

90

100

2004

-01-

01

2004

-01-

15

2004

-01-

29

2004

-02-

12

2004

-02-

26

2004

-03-

11

2004

-03-

25

2004

-04-

08

2004

-04-

22

2004

-05-

06

2004

-05-

20

2004

-06-

03

2004

-06-

17

2004

-07-

01

2004

-07-

15

2004

-07-

29

2004

-08-

12

2004

-08-

26

Regular Update Releases per Day (II)

l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)

2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)

l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)

2004-02-07 (7) 2004-01-04 (8)

Types of Update Mechanisms

l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)

l Wgetexe handles all

Scripting Techniques for CMDEXE

l Filename determinationl Creating unique filenames for archivingl Determining required files

l Text parsingl Environment variable parsingl Subroutines

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Reasons to Script Updates (II)

l Multi-scanner systemsndash Independently developed AV engines have

different good and weak pointsndash Different response times in case of new virus

outbreaksndash Protection level might still be too low for some

critical business cases

Regular Update Releases per Day (I)(x = Date y = Number of Updates)

0

10

20

30

40

50

60

70

80

90

100

2004

-01-

01

2004

-01-

15

2004

-01-

29

2004

-02-

12

2004

-02-

26

2004

-03-

11

2004

-03-

25

2004

-04-

08

2004

-04-

22

2004

-05-

06

2004

-05-

20

2004

-06-

03

2004

-06-

17

2004

-07-

01

2004

-07-

15

2004

-07-

29

2004

-08-

12

2004

-08-

26

Regular Update Releases per Day (II)

l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)

2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)

l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)

2004-02-07 (7) 2004-01-04 (8)

Types of Update Mechanisms

l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)

l Wgetexe handles all

Scripting Techniques for CMDEXE

l Filename determinationl Creating unique filenames for archivingl Determining required files

l Text parsingl Environment variable parsingl Subroutines

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Regular Update Releases per Day (I)(x = Date y = Number of Updates)

0

10

20

30

40

50

60

70

80

90

100

2004

-01-

01

2004

-01-

15

2004

-01-

29

2004

-02-

12

2004

-02-

26

2004

-03-

11

2004

-03-

25

2004

-04-

08

2004

-04-

22

2004

-05-

06

2004

-05-

20

2004

-06-

03

2004

-06-

17

2004

-07-

01

2004

-07-

15

2004

-07-

29

2004

-08-

12

2004

-08-

26

Regular Update Releases per Day (II)

l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)

2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)

l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)

2004-02-07 (7) 2004-01-04 (8)

Types of Update Mechanisms

l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)

l Wgetexe handles all

Scripting Techniques for CMDEXE

l Filename determinationl Creating unique filenames for archivingl Determining required files

l Text parsingl Environment variable parsingl Subroutines

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Regular Update Releases per Day (II)

l Days with the most update releasesndash 2004-03-03 (89) 2004-04-28 (83)

2004-08-16 (80) 2004-03-18 (76)2004-07-19 (74)

l Days with the lowest number of update downloadsndash 2004-06-20 (5) 2004-01-10 (5) 2004-02-01 (6)

2004-02-07 (7) 2004-01-04 (8)

Types of Update Mechanisms

l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)

l Wgetexe handles all

Scripting Techniques for CMDEXE

l Filename determinationl Creating unique filenames for archivingl Determining required files

l Text parsingl Environment variable parsingl Subroutines

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Types of Update Mechanisms

l HTTP downloads (public)l HTTP downloads (usernamepassword)l FTP downloads (anonymous)l FTP downloads (usernamepassword)

l Wgetexe handles all

Scripting Techniques for CMDEXE

l Filename determinationl Creating unique filenames for archivingl Determining required files

l Text parsingl Environment variable parsingl Subroutines

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Scripting Techniques for CMDEXE

l Filename determinationl Creating unique filenames for archivingl Determining required files

l Text parsingl Environment variable parsingl Subroutines

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Scripting Techniques for CMDEXE

l Parsing Environment Variablesfor f tokens=1-4 delims= i in (date) do (set mydate=l-j-l-)for f tokens=1-4 delims= i in (time) do (set mytime=i_j_k-)

Date=Thu 11252004 mydate=2004-11-25-Time=09353787 mytime=09_35_37

mydatemytime= 2004-11-25-09_35_37

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Scripting Techniques for CMDEXE

Finding the file name McAfee exampleFrom McAfeersquos ldquoreadmetxtrdquo file ldquo - DAT Version 4297rdquo

wget ftpftpnaicompubdatfilesenglishreadmetxtfor f tokens=4 delims= i in (findstr i c- DAT version

readmetxt) do(if not exist dat-izip wget

ftpftpnaicompubdatfilesenglishdatizip)

dat-izip= dat-4297zip

Scripting Techniques for CMDEXE

Set dailycount=0dailywget httpdownloadnaicomproductsmcafee-

avertdaily_datsDAILYDATZIPif errorlevel==0 goto gethash set a dailycount=dailycount+1if dailycount GTR 3 del dailydatz amp exit goto daily

Scripting Techniques for CMDEXE

gethashfor f i in (md5 dailydatzip) do set newmcafee=iif exist oldmcafeebat call oldmcafeebatif i [oldmcafee]==[newmcafee] del dailydatzip amp

exitif i not [oldmcafee]==[newmcafee] (del oldmcafeebatecho (set oldmcafee=newmcafee) gtoldmcafeebatren dailydatzip mydatemytimedailydatzipecho newfilesgtcmcafeenewfilestxt)

Scripting Techniques for CMDEXE

Only take what you need Kaspersky example

l Download file with digital signaturesl Determine which files are requiredl Download required files

Scripting Techniques for CMDEXE

Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)

Using Subroutines (avpklb contains digital signatures)

call Get_File avpklb

Scripting Techniques for CMDEXE

Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1

gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)

Scripting Techniques for CMDEXE

(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360

ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1

downloadgtgtckavupdatedownload_problemtxtgoto finalsteps

Scripting Techniques for CMDEXE

Only take what you need Kaspersky example

l Download file with digital signaturesl Determine which files are requiredl Download required files

Scripting Techniques for CMDEXE

Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)

Using Subroutines (avpklb contains digital signatures)

call Get_File avpklb

Scripting Techniques for CMDEXE

Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1

gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)

Scripting Techniques for CMDEXE

(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360

ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1

downloadgtgtckavupdatedownload_problemtxtgoto finalsteps

Scripting Techniques for CMDEXE

Initialize variables(set avc_loop=) amp (set klb_loop=) amp (set newavc=) (set oldavc=) amp (set success=false)

Using Subroutines (avpklb contains digital signatures)

call Get_File avpklb

Scripting Techniques for CMDEXE

Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1

gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)

Scripting Techniques for CMDEXE

(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360

ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1

downloadgtgtckavupdatedownload_problemtxtgoto finalsteps

Scripting Techniques for CMDEXE

Get_File(set avc_loop=0)(set del_loop=0)loop1(set a del_loop=del_loop+1)if exist 1 del 1if not [errorlevel]==[0] (if del_loop GTR 2 echo Cant delete 1

gtgtckavdownload_problemtxt ampamp goto finalstepsgoto loop1)

Scripting Techniques for CMDEXE

(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360

ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1

downloadgtgtckavupdatedownload_problemtxtgoto finalsteps

Scripting Techniques for CMDEXE

(set a avc_loop=avc_loop+1)wget -aCKAVkavwgetlog -t1 -w3 -T360

ftpftpkasperskycomupdates_x1if [errorlevel]==[0] goto eofsleep 30if avc_loop LEQ3 goto loop1echo Datetime-Error 1

downloadgtgtckavupdatedownload_problemtxtgoto finalsteps

Scripting Techniques for CMDEXE

findstr cavc avpklb gtgtckavtempnewklbtxtCUTILREPEXE = ckavtempnewklbtxtThe previous line changes entries in the AVPKLB file that

look like this0=kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9

UuOmxXyKkBjNdD+844509092004And writes the line below to a file called ldquoNEWKLBTXTrdquo0kernelavc0XLSznpdI71fB300e7Uwj1TdKc+yC8rcaj94jH6EUL9

UuOmxXyKkBjNdD+844509092004

Scripting Techniques for CMDEXE

for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)

do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto

eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof

Why Test

l Update files can be faulty especially in case of beta definitions

ndash Corrupted virus signatures (eg broken archives interrupted downloads)

ndash Download of old signatures due to problems with the synchronization

ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)

l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning

What to Test

l Different checks are useful to find possible bad updates

ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using

digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be

taken from the report file)ndash Is the scanner able to find Eicar test file under the usual

name and does the scanner sets the correct exit code

Testing Considerations

l Advanced testing methods with a limited number of live viruses (might not be required in every case)

ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)

ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)

ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be

found much easier

Sample Test Script (I)

wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog

ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog

ctestdirty

Sample Test Script (II)

If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log

ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem

gtgtcscannerslogsMcafee_Updatelog

Conclusion

l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments

l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early

l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)

Questions

l Are there any questions

Scripting Techniques for CMDEXE

for f tokens=1-5 delims= a in (ckavtempnewklbtxt) do (call compare1 b c)compare1set newavc=2if exist ckavtempoldklbtxt (for f tokens=1-3 delims= i in (findstr c1 ckavtempoldklbtxt)

do ((set oldavc=k)))if [newavc]==[oldavc] (set newavc=) amp (set oldavc=) amp goto

eofecho 1 gtgtckavtempnewavcfilestxt amp (set newavc=) amp (set oldavc=)goto eof

Why Test

l Update files can be faulty especially in case of beta definitions

ndash Corrupted virus signatures (eg broken archives interrupted downloads)

ndash Download of old signatures due to problems with the synchronization

ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)

l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning

What to Test

l Different checks are useful to find possible bad updates

ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using

digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be

taken from the report file)ndash Is the scanner able to find Eicar test file under the usual

name and does the scanner sets the correct exit code

Testing Considerations

l Advanced testing methods with a limited number of live viruses (might not be required in every case)

ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)

ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)

ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be

found much easier

Sample Test Script (I)

wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog

ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog

ctestdirty

Sample Test Script (II)

If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log

ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem

gtgtcscannerslogsMcafee_Updatelog

Conclusion

l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments

l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early

l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)

Questions

l Are there any questions

Why Test

l Update files can be faulty especially in case of beta definitions

ndash Corrupted virus signatures (eg broken archives interrupted downloads)

ndash Download of old signatures due to problems with the synchronization

ndash Bad or corrupt updates (eg the creation process at the AV company was erroneous)

l Statistics provided at VB 2004 indicated that of 37000 updates obtained approximately 7000 were non-functioning

What to Test

l Different checks are useful to find possible bad updates

ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using

digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be

taken from the report file)ndash Is the scanner able to find Eicar test file under the usual

name and does the scanner sets the correct exit code

Testing Considerations

l Advanced testing methods with a limited number of live viruses (might not be required in every case)

ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)

ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)

ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be

found much easier

Sample Test Script (I)

wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog

ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog

ctestdirty

Sample Test Script (II)

If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log

ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem

gtgtcscannerslogsMcafee_Updatelog

Conclusion

l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments

l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early

l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)

Questions

l Are there any questions

What to Test

l Different checks are useful to find possible bad updates

ndash Size check Has the new definition file the usual sizendash Can the ZIP or SFX file be extracted without errors (using

digital signature checks or CRC sums)ndash Does the command-line scanner loads and starts properlyndash Has the version number increased (this information can be

taken from the report file)ndash Is the scanner able to find Eicar test file under the usual

name and does the scanner sets the correct exit code

Testing Considerations

l Advanced testing methods with a limited number of live viruses (might not be required in every case)

ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)

ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)

ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be

found much easier

Sample Test Script (I)

wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog

ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog

ctestdirty

Sample Test Script (II)

If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log

ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem

gtgtcscannerslogsMcafee_Updatelog

Conclusion

l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments

l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early

l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)

Questions

l Are there any questions

Testing Considerations

l Advanced testing methods with a limited number of live viruses (might not be required in every case)

ndash Infected files are stored securely on a system with limited access (eg limited number of accounts)

ndash Infected files should be renamed andor stored inside of archive files (eg ZIP)

ndash Deeper test of the internal structures of the AV programndash Corrupted updates which are not working properly can be

found much easier

Sample Test Script (I)

wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog

ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog

ctestdirty

Sample Test Script (II)

If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log

ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem

gtgtcscannerslogsMcafee_Updatelog

Conclusion

l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments

l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early

l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)

Questions

l Are there any questions

Sample Test Script (I)

wzunzip -t cscannersmcafeearchivesdailydatzip if not errorlevel==0 set problem=bad_zip_file amp goto abortDel q cscannersmcafeetestwzunzip cmcafeearchivesdailydatzip cscannersmcafeetestif not errorlevel==0 set problem=bad_zip_file amp goto abortCopy y cscannersmcafeetest cmcafeeCmcafeescan sub secure unzip report cmcafeelogsclnlog

ctestclnIf not errorlevel==0 set problem=FP amp goto abortCmcafeescan sub secure unzip report cmcafeelogsvirlog

ctestdirty

Sample Test Script (II)

If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log

ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem

gtgtcscannerslogsMcafee_Updatelog

Conclusion

l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments

l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early

l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)

Questions

l Are there any questions

Sample Test Script (II)

If not errorlevel==13 set problem=no_detect goto abortCmcafeescan sub secure unzip report cmcafeelogsvir2log

ctestdirty ctestclnIf not errorlevel==13 set problem=no_detect goto abortdel cscannersmcafeeupdatedatcopy cscannersmcafeetestdat cscannersmcafeeupdatedat exitabortEcho date time - problem

gtgtcscannerslogsMcafee_Updatelog

Conclusion

l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments

l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early

l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)

Questions

l Are there any questions

Conclusion

l Scriptable solutions for single or multi-scanner systems simplify the process of maintaining systems and allow for automated quality testing that can enhance detection in test and production environments

l Virus-infected or suspicious software (regardless if its incoming or outgoing) can be stopped early

l More scanners can possibly find more than just one (eg due to different response times to new malware and new types of exploits)

Questions

l Are there any questions

Questions

l Are there any questions