This article provides recommendations and best practices to test different aspects of the Security services in the Cato Cloud.
Note
Note: These tests can involve real malware. Make sure that you are testing them in a safe isolated environment.
Desired Outcome: File download over HTTP is blocked and shows the Cato block page. Download over HTTPS is only blocked after TLS inspection is enabled.
Make sure that TLS Inspection is disabled before you start this test.
-
Go to the EICAR website (http://www.rexswain.com/eicar.html) for sample HTTP malware files.
-
Download eicar.com over HTTP and the download is blocked.
-
Download eicar.com over HTTPS and the download is successful.
Go to the EICAR website (https://www.eicar.org/?page_id=3950) for sample HTTPS malware files.
-
Go to Security > TLS Inspection and enable TLS Inspection for the account, and click Save.
-
Download eicar.com over HTTPS and the download is blocked.
-
Use Monitoring >Events with the Anti-malware preset to show the events for the blocked malicious files.
Desired Outcome: File successfully downloads with only Anti-Malware enabled. After enabling NG Anti-Malware, the file download is blocked.
Make sure that you are using a web download service such as WeTransfer which isn't included in and exception or the Allow List. Otherwise, the file download is successful because the file isn't scanned by the NG Anti-Malware engine.
-
Go to Security > Anti-Malware, and configure these settings:
-
Anti-Malware is enabled
-
NG Anti-Malware is disabled
-
-
Click here to download eicar_s1.txt and the download is successful.
-
Enable NG Anti-Malware.
-
Open a private or incognito window, and click here to download eicar_s1.txt again. The download is blocked.
-
Use Monitoring > Events with the Anti-malware preset to show the events for the blocked NG Anti-Malware files.
Desired Outcome: Attempts to access site/IP with poor reputation are blocked and the event is logged in Events.
-
Use the following website to find domains that are known to have poor reputations:
-
Note
Note: It can take multiple tries to find an FQDN that still has a poor reputation. This is a list of low-rated domains, and IPS doesn't block all the domains in the website above.
-
-
Try access this site/IP with their browser (easiest to validate block) or using telnet from a command line prompt. You are blocked from accessing the site.
-
Use the Monitoring > Events screen and review the events for the blocked IPS traffic.
4 comments
Jørn-Morten,
Thanks for your comment. I updated this section in the article to reflect that we are working to find a new website to find domains with poor IPS reputations.
We updated the Testing IP Reputations with IPS section with the following website to identify domains with a poor reputation: https://urlhaus.abuse.ch/downloads/text/
We added a new link to a file that lets you test the NG Anti-Malware protection.
Dear-Yaakov,
This is the solution I wanted (Testing NG Anti-Malware Protection). Thank you!
Please sign in to leave a comment.