Testing Threat Prevention for Anti-Malware and IPS

This article provides recommendations and best practices to test different aspects of the Security services in the Cato Cloud. 

Note: These tests can involve real malware. Make sure that you are testing them in a safe isolated environment.

Testing Anti-Malware

Desired Outcome: File download over HTTP is blocked and shows the Cato block page. Download over HTTPS is only blocked after TLS inspection is enabled.

Make sure that TLS Inspection is disabled before you start this test.

  1. Go to the EICAR Test Virus website (http://www.rexswain.com/eicar.html) for sample HTTP malware files.
  2. Download eicar.com over HTTP and the download is blocked.
  3. Download eicar.com over HTTPS and the download is successful.
    1. Go to the EICAR website (https://www.eicar.org/?page_id=3950) for sample HTTPS malware files.
  4. Go to Security > TLS Inspection and enable TLS Inspection for the account, and click Save.
  5. Download eicar.com over HTTPS and the download is blocked (https://www.eicar.org/?page_id=3950).
  6. Use Monitoring > Events with the Anti-malware preset and review the events for the blocked malicious files.

Testing NG Anti-Malware

Desired Outcome: File successfully downloads with only Anti-Malware enabled. After enabling NG Anti-Malware, the file download is blocked.

Make sure that you are using a web download service such as WeTransfer which isn't included in an exception or the Allow List. Otherwise, the file download is successful because the file isn't scanned by the NG Anti-Malware engine.

  1. Go to Security > Anti-Malware, and configure these settings:
    • Anti-Malware is enabled
    • NG Anti-Malware is disabled
  2. Click here to download eicar_s1.txt and the download is successful.
  3. Enable NG Anti-Malware.
  4. Open a private or incognito window, and click here to download eicar_s1.txt again. The download is blocked.
  5. Use Monitoring > Events with the Anti-malware preset to show the events for the blocked NG Anti-Malware file.

Testing IP Reputation with IPS

Desired Outcome: Attempts to access site/IP with poor reputation are blocked and the event is logged in Events.

  1. Use the following website to find domains that are known to have poor reputations:
  2. Try access this site/IP with their browser (easiest to validate block) or using telnet from a command line prompt. You are blocked from accessing the site.
  3. Use Monitoring > Events and review the events for the blocked IPS traffic.

Was this article helpful?

1 out of 1 found this helpful

4 comments

  • Comment author
    Yaakov Simon

    Jørn-Morten,

    Thanks for your comment. I updated this section in the article to reflect that we are working to find a new website to find domains with poor IPS reputations.

  • Comment author
    Yaakov Simon

    We updated the Testing IP Reputations with IPS section with the following website to identify domains with a poor reputation: https://urlhaus.abuse.ch/downloads/text/

  • Comment author
    Yaakov Simon

    We added a new link to a file that lets you test the NG Anti-Malware protection.

  • Comment author
    Kiyofumi Takahashi

    Dear-Yaakov,

     

    This is the solution I wanted (Testing NG Anti-Malware Protection). Thank you!

Add your comment