This article is contributed. See the original author and article here.
Dear IT Pros,
I would like to make this article more fluid and less dry, with the hope that not all my blog articles’ contents are too serious and too long to read. Let me start with a story.
Once upon a beautiful day, the Security Boss came to your desk and asked if the systems had passed all the security tests. Oh um…, you then wonder what tests are they? The Boss continue asking:
- Really, do we have “an security examination” for system recently, how is the test for them look like?
Then, comes another story, on a certain Friday, a Company VIP brought his/her laptops to your desk and ask if it is safe from all threats. He or She then, request you to be sure that the Bitcoin Miners has not taken advantage and been using the compromised computer for their illegal money producing with “Java script Web Miner”. The VIP complained:
- I traveled around the World, I surf the net from hotel rooms and browse many public web sites, so I do not want to be a victim of Web Miners attack. Here is the advertisement about the coin mining activities, what could we do to block this kind of script? Then the VIP show you the following image:
After viewing the image, with a little bit shocking, you think:
- Surely, I want to check if my anti-malware be able to catch them all. But how and where to start with a test site?
Well, to answer the question, we will continue discussing the testing and test sites you could use to conduct the examinations towards those systems.
- Pass the SmartScreen test
First we will use the tests from Microsoft SmartScreen demo site, https://demo.smartscreen.msft.net we could do the tests against the Edge browser to be sure it was protected against phishing page, malware page, malvertising, … All the tests will be conducted with fake virus and cause no harm to systems.
Malvertising (a portmanteau of “malicious advertising”) is the one popped up on a legitimate website, it asked you to click on a link to repair or to clean up your PC, the truly malicious link which cause damage when the innocent victim click on it. Once the PC become damage to the point of pausing all its activities, the attacker then asks for a payment to repair the problem PC. You may recognize and familiar with the following advertising attack:
Or this one:
The advertisements in the internet are largely automated, with only limited human involvement. Attacker take the advantage and try to inject malicious code into the normal, benign ad page. If successful, their infected ad will sneak through the security systems of an internet advertisement network. Even highly trusted ad networks have distributed malicious ads because of attacker’s malvertising technique.
Please make sure to enable SmartScreen or other Web protection policy for your Company Systems ASAP and test malvertising by using Microsoft SmartScreen demo site.
Edge, IE’ SmartScreen tests
- Pass the Defender tests
For the comprehensive tests, we could use Microsoft Defender Demo site,
https://demo.wd.microsoft.com. I include all tests which your systems must pass in the following table:
| Cloud-delivered protection
|
Test if your Microsoft Defender Antivirus is able to report to ATP cloud service, Microsoft Advanced Protection Service (MAPS)
Detailed test steps: |
| Block At First Sight (BAFS) Sign in required
|
Test if your next generation of Anti-Virus software with Cloud based service, can block new malware just coming to the Wild for the first time and its signature is not even in Virus Definition list yet.
During the test, a fake virus file will be downloaded. |
| Potentially Unwanted Applications (PUA)
|
Potentially Unwanted Applications (PUA) like adware, cryptocurrency miner, coin miner, … They might perform actions on endpoints that adversely affect system performance.
To test:
|
| Attack Surface Reduction (ASR)
|
Proactive threat prevention by Attack Surface Reduction |
| Controlled Folder Access (CFA)
|
Proactive threat prevention by Attack Surface Reduction
To test: Use the CFA test tool to simulate an untrusted process by writing to a protected folder. Launch CFA test tool. Select the desired folder and create a file. You can find more information here |
| Network Protection (NP)
|
Proactive threat prevention by Attack Surface Reduction |
| Exploit Protection (EP)
|
Proactive threat prevention by Attack Surface Reduction |
| VDI testing guide
|
Download this guide to test new virtual desktop infrastructure security intelligence update features. This requires VMs and a host running Windows 10 Insider Preview build 18323 or later. |
- Pass the Security Industry AMTSO tests
After successfully testing your environment with Microsoft demo, you could continue testing with Anti-Malware Industry Testing Site named AMTSO, www.amtso.org, it is partner with all the big vendors such as Checkpoint, Sophos, McAffee, Symantec, totalAV, Trend Micro, AV Test, F-Secure, Kapersky… for standardized testing purposes.
Let us have a look at its introduction page:
- What test you could proceed with AMTSO website, here are the ones:
- Your system must pass all the applicable tests.
- The test name, “Is connected to a cloud-based lookup system” is used for AV software who is capable of filtering Web URL based on Web reputation list, black list provided by Cloud based service like Microsoft Endpoint Protection (WD ATP), Crowdstrike and FireEye,…
Test Result:
Besides blocking and warning events provided by your Antivirus software during test time, if you have setup security alert on endpoint protection service or Azure security center, you will receive alert Email Messages similar to the following one:
Alert shown in Microsoft Defender Endpoint Protection portal (securitycenter.windows.com):
- An Aggressive Test
Lastly if you still want an aggressive way to vigorously test the system if it is blocking the java script cryptocurrency miner?
You could consider using another testing site and browse the site, www.wicar.org for testing on “cryptocurrency miner”. But first, let us read the Wicar.org introduction page:
- the list of tests is shown in the following image, it includes test for Java script running Cryptocurrency,
- if you test and fail, Wicar.org will be able to run the script during your visiting time and collect a fraction of a dollar or few cents to fund its testing web site operation.
Test result
You AV should be able to block “Java Script Cryto Miners” as shown in this image:
Well, up to this point of time, it seems that my blog article has become too long!
Should I stop it right here?
I hope the blog is not boring but useful.
Until next time.
_____________________________________________
Reference:
- https://www.cnet.com/how-to/how-to-stop-sites-from-using-your-cpu-to-mine-coins/
- https://olympia.windows.com/info/features
- https://www.amtso.org/security-features-check/
- https://demo.smartscreen.msft.net/
- https://www.fireeye.com/blog/threat-research/2008/11/the-case-against-url-blacklists.html
- https://www.crowdstrike.com/epp-101/advanced-persistent-threat-apt/
- https://demo.wd.microsoft.com/
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments