Example indicators
We can completely automate security tests carried out. For instance, we are able to record events of blocking an attack by a specific technology implemented in a product. If a product reacts to a malicious modification of the system, this kind of information is saved in the Windows event log or the local logs of the protection solution. We can capture such modification using the Windows API. For example, the activity of moving a virus to quarantine or running malware in a sandbox will cause the reading of a relevant key from the Windows registry or executing an action by a process. Then, we can mark recorded indicators as a detected attack, a blocked network connection, or an infected file removal. Here are some example indicators:
ESET Internet Security:
ANTIVIRUS INDICATORS | DESCRIPTION |
C:\ProgramData\ESET\ESET Security\Logs\virlog.dat | Malware was removed or cured |
*AppData\Local\ESET\ESET Security\Quarantine | Malware was quarantined |
C:\ProgramData\ESET\ESET Security\epfwlog.dat | Blocking of traffic by a firewall |
C:\ProgramData\ESET\ESET Security\Logs\urllog.dat | Blocking of malware on a website |
Sophos Endpoint Protection:
ANTIVIRUS INDICATORS | DESCRIPTION |
---|---|
C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED | Information on a quarantine |
HKLM\SOFTWARE\WOW6432Node\Sophos\SAVService\ThreatLifetime\Threats | Message about a threat found |
C:\ProgramData\Sophos\Health\Event Store\Incoming\SAV-{67E677B9-A7CC-4136-B97E-B901C48655DC}.json | Threat found |
HKLM\SOFTWARE\WOW6432Node\Sophos\Health\ThreatNotification\Severity | Threat notification |
HKLM\SOFTWARE\WOW6432Node\Sophos\SAVService\Status\Infected\* | Elevated security status |
C:\ProgramData\Sophos\Sophos Anti-Virus\Temp\* | Information on a threat |
Comodo Internet Security:
ANTIVIRUS INDICATORS | DESCRIPTION |
C:\ProgramData\Comodo\Cis\Quarantine\* | Malware was quarantined |
C:\VTRoot\* | Virus was run in a sandbox |
C:\ProgramData\Comodo\Firewall Pro\cislogs.sdb | Information on an event in a firewall |
HKLM\SYSTEM\VritualRoot\* | Information on running in a sandbox |