![]() Take a look at the VirusTotal result for this file: You upload and download it with no problem – so the files aren’t being checked for malware, right? Wrong. So, during a web application assessment, you put together a test file thus: This is where the EICAR test comes in – a widely adopted benign signature that triggers an alert so that you can be sure your anti-virus product is running correctly. Of course, you don’t want to be uploading real malware. The output of VirusTotal includes a SHA-256 hash so that nicely ties in with hashing the uploaded and downloaded files, mentioned above. So running the file through VirusTotal and including a screenshot in the report shows the client that the file should have been detected. It’s obviously unfair to report a system lacking AV if the file you upload gets only 1 out of 57 hits on VirusTotal, for example. Showing that the hashes of the uploaded and downloaded files are the same proves that the file has not been cleaned up. (If no download feature is available, you can only speculate on the lack of an error message on upload.) If you upload successfully but don’t download then that’s not sufficient proof – perhaps the file has been silently quarantined. It’s really quite simple – upload a file, download it and compare the hashes. It is based on an internal presentation I gave, the slides for which are here. This article reviews the methodology and highlights the danger of corrupting an EICAR test file so that it no longer acts as a valid test. One of the issues on a standard web app checklist is to test whether or not an application that supports file upload is scanning those files for malware.
0 Comments
Leave a Reply. |