Testing Threat Prevention for Anti-Malware and IPS

This article provides recommendations and best practices to test different aspects of the Security services in the Cato Cloud.

Note

Note: These tests can involve real malware. Make sure that you are testing them in a safe isolated environment.

Testing Anti-Malware

Desired Outcome: File download over HTTP is blocked and shows the Cato block page. Download over HTTPS is only blocked after TLS inspection is enabled.

Make sure that TLS Inspection is disabled before you start this test.

  1. Go to the EICAR website (http://www.rexswain.com/eicar.html) for sample HTTP malware files.

  2. Download eicar.com over HTTP and the download is blocked.

  3. Download eicar.com over HTTPS and the download is successful.

    Go to the EICAR website for sample HTTPS malware files.

  4. Go to Security > TLS Inspection and enable TLS Inspection for the account, and click Save.

  5. Download eicar.com over HTTPS and the download is blocked.

  6. Use Home >Events with the Anti-malware preset to show the events for the blocked malicious files.

Testing NG Anti-Malware

Desired Outcome: File successfully downloads with only Anti-Malware enabled. After enabling NG Anti-Malware, the file download is blocked.

Make sure that you are using a web download service such as WeTransfer which isn't included in and exception or the Allow List. Otherwise, the file download is successful because the file isn't scanned by the NG Anti-Malware engine.

  1. Navigate to Security > Anti-Malware, and configure these settings:

    • Anti-Malware is enabled

    • NG Anti-Malware is disabled

  2. Click here to download eicar_s1.txt and the download is successful.

  3. Enable NG Anti-Malware.

  4. Open a private or incognito window, and click here to download eicar_s1.txt again. The download is blocked.

  5. Use Home > Events with the Anti-malware preset to show the events for the blocked NG Anti-Malware files.

Testing IP Reputation with IPS

Desired Outcome: Attempts to access a site hosted in a blocked Country. Access is blocked and the event is logged in Events.

  1. Navigate to Security > IPS, and select the Geo Restriction tab.

  2. Create a rule that blocks Egypt.

  3. Open a private or incognito window, and try to access https://stdf.eg/ (A site hosted in Egypt). Access is blocked.

    Note: The IPS rule may take up to 10 minutes to become effective.

  4. Use the Home > Events page and review the events for the blocked IPS traffic.

Was this article helpful?

1 out of 1 found this helpful

4 comments

Date Votes
  • Comment author
    Yaakov Simon

    Jørn-Morten,

    Thanks for your comment. I updated this section in the article to reflect that we are working to find a new website to find domains with poor IPS reputations.

  • Comment author
    Yaakov Simon

    We updated the Testing IP Reputations with IPS section with the following website to identify domains with a poor reputation: https://urlhaus.abuse.ch/downloads/text/

  • Comment author
    Yaakov Simon

    We added a new link to a file that lets you test the NG Anti-Malware protection.

  • Comment author
    Kiyofumi Takahashi

    Dear-Yaakov,

     

    This is the solution I wanted (Testing NG Anti-Malware Protection). Thank you!