Does antivirus rain on your antivirus testing?

Suppose you need to test your antivirus software, but you don’t have a virus laying around to test with. How do you get a virus to test with? Sounds dangerous.

Luckily, smarter people than I have already thought of this problem. The solution is the EICAR test file/string. It’s a harmless string that most (almost all) antivirus vendors treat as a virus. The idea is that you can use this file instead of a live virus. If your antivirus alerts on it, you know all is good. If it doesn’t, then your antivirus doesn’t work.

So if you’re doing some security research* and need the EICAR test string you may run into a chicken and egg problem. You need the test string, but every time you download it your antivirus program deletes it right away!

I’ve made a simple dropper. By itself it doesn’t trigger most antivirus programs (props to ALYac, Ad-aware, BitDefender, Emsisoft, F-Secure, GData, MicroWorld-eScan, and nProtect).

The batch file will create a file named eicar.txt in the current directory. Hopefully your antivirus program will immediately alert when the file is created.

Here’s a zip file containing the dropper:

And here’s the dropper itself:

* Hacking 🙂

Set Internet Options via the registry

I ran into a situation where I needed to remotely set the values in a user’s Internet Options control panel. With all the problems with SSL 2.0 and SSL 3.0 lately, we’ve pushed out configurations to block them. Some of our users have reported problems connecting to business-critical websites which aren’t working with our settings. So I need to remotely check the SSL 3.0 box for them.

To get this done I had two problems:

  • What values do I need to store in the registry?
  • Where do I store them?

First, find the keys.

I fired up procmon from Sysinternals and opened up my Internet Options control panel. With some trial and error I was able to narrow the settings i needed to change. The process is to change the settings in my UI (remember to click apply!) and watch the registry changes in procmon. In case you’re looking for exactly the same thing I am, changing the SSL/TLS settings, here’s the key you need:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

And here are the values you need:

SSL/TLS Version Decimal Hexidecimal
SSL 2.0 8 0x8
SSL 3.0 32 0x20
TLS 1.0 128 0x80
TLS 1.1 512 0x200
TLS 1.2 2048 0x800

This is a bitfield. To get the correct value, you just add up the options you want and then store that value in the registry.

I needed to have SSL 3.0, TLS 1.0, and TLS 1.1 enabled.
\begin{array}{c}  \phantom{+9}32\\  \phantom{+}128\\  \underline{+512}\\  \phantom{+}672\end{array}

When you store the result in the registry, make sure you enter it in the expected format.

regedit dialog showing radio buttons for selecting Hexadecimal or Decimal input. Be sure the selection matches the number you are inputting.
Regedit input dialog

Second, figure out where to store the values.

Folder tree from regedit. I have connected to a remote PC and discovered that there is no HKCU hive listed.
donde esta HKCU?

Now, just open up the remote registry and find HKEY_CURRENT_USER and and rock and roll!

Okay, going to have to pull some teeth here. The issue is that there really isn’t a HKEY_CURRENT_USER hive. When a user logs on, Windows maps their HKEY_USERS hive onto the HKCU hive. It makes things so much easier. Since we’re not logged on to this system as that user, we don’t get the easy version.

If your users generally have one PC each, you probably will see several short SIDs and a pair of long ones. The long one without “_classes” on the end is your user’s SID. But you can get a user’s SID via powershell to be 100% sure.

So in my case, I’ll need to use HKEY_Users\S-1-5-21-776511741-573735546-682002230-13423.

Put it all together.

Almost done, I swear. In regedit I connected to the remote computer then browsed to the right user’s HKEY_USERS key (that long SID we found earlier). I browsed to the key I found earlier, Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols. Finally, I set the value I calculated, 672 (decimal).

Sites are fixing their SSL settings as fast as they can, so don’t just set something like this and forget it. Periodically test the sites your users require to see if they work with SSL 2.0 and SSL 3.0 disabled. Once they do, you can undo your changes.