To conclude how good protection is, I test a product continuously for 14 days.
To perform the test I use samples and links collected from several sources, such as any.run, hybrid analyses, malwarebazaar and others. I have several emails that have been breached and registered in not-so-trustworthy websites, so these receive a vast amount of phishing emails. I analyse relations on VirusTotal and discover more and more malware, and links.
Every day the test includes:
- 5 Phishing Links
- 5 Malicious Links
- 5 Malware Executables (*.exe files)
- 5 Malicious Word/Excel Documents
- 5 Scripts that abuse Windows processes
- 5 Loaders that rely on PowerShell. I do not download these, but rather copy and paste the code into PowerShell.
- Few Java malware files (*.jar)
I do not handpick links, but I specifically choose samples that are more difficult to detect (evasive, compressed, packed etc.). It's not necessary for these samples to be 0-days, but they should be prevalent.
Test has 2 outcomes - success (everything blocked) or failure (something has been missed)
A product must block everything to be successful.
It's not necessary for the malware sample to be deleted - for example blocking a loader from downloading any additional files is good enough.
At the end I use Hitman Pro, Norton Power Eraser and RogueKiller, as well as various utilities such as Process Explorer to establish whether everything has been blocked (when behavioural blocker has been involved.
In case of ransomware, products that support Secure Folders should keep the selected folders unencrypted.
I discard PUPs from the test, due to the fact that different vendors have different understanding of what's PUP. I consider misleading applications a form of malware.
As a last stage of the test I usually register a service, a scheduled task and auto-run pointing to a malware sample and containing malicious PowerShell code. I perform a scan and then check whether everything has been removed.
From time to time I can come up with other tests. These will be discussed in separate threads.