This article provides recommendations and best practices to test different aspects of the security services in the Cato Cloud.
Note: These tests can involve real malware. Make sure that you are testing them in a safe isolated environment.
Testing Anti-Malware Protection
Desired Outcome: File download over HTTP is blocked and shows the Cato block page. Download over HTTPS is only blocked after TLS inspection is enabled.
Make sure that TLS Inspection is disabled before you start this test.
- Go to the EICAR Test Virus website (http://www.rexswain.com/eicar.html) for sample HTTP malware files.
- Download eicar.com over HTTP and the download is blocked.
- Download eicar.com over HTTPS and the download is successful.
- Go to the EICAR website (https://www.eicar.org/?page_id=3950) for sample HTTPS malware files.
- Go to Security > TLS Inspection and enable TLS Inspection for the account, and click Save.
- Download eicar.com over HTTPS and the download is blocked (https://www.eicar.org/?page_id=3950).
- Use Monitoring > Events with the Anti-malware preset and review the events for the blocked malicious files.
Testing NG Anti-Malware Protection
Desired Outcome: File successfully downloads with only Anti-Malware protection enabled. After enabling NG Anti-Malware protection, the file download is blocked.
Make sure that you are using a web download service such as WeTransfer which isn't included in and exception or the Allow List. Otherwise, the file download is successful because the file isn't scanned by the NG Anti-Malware engine.
- Go to Security > Anti-Malware, and configure these settings:
- Anti-Malware is enabled
- NG Anti-Malware is disabled
- Click here to download eicar.exe and the download is successful.
- Enable the NG Anti-Malware protection.
- Open a private or incognito window, and click here to download eicar.exe again. The download is blocked.
- Use Monitoring > Events with the Anti-malware preset to show the events for the blocked NG Anti-Malware file.
Testing IP Reputation with IPS
Desired Outcome: Attempts to access site/IP with poor reputation are blocked and the event is logged in Events.
- Use the following website to find domains that are known to have poor reputations:
Note: It can take multiple tries to find an FQDN that still has a poor reputation. This is a list of low-rated domains, and IPS doesn't block all the domains in the website above.
- Try access this site/IP with their browser (easiest to validate block) or using telnet from a command line prompt. You are blocked from accessing the site.
- Use Monitoring > Events and review the events for the blocked IPS traffic.
Thanks for your comment. I updated this section in the article to reflect that we are working to find a new website to find domains with poor IPS reputations.
We updated the Testing IP Reputations with IPS section with the following website to identify domains with a poor reputation: https://urlhaus.abuse.ch/downloads/text/
We added a new link to a file that lets you test the NG Anti-Malware protection.
This is the solution I wanted (Testing NG Anti-Malware Protection). Thank you!
Please sign in to leave a comment.