views:

193

answers:

4

I'm looking for a way to emulate virus-like behaviour for testing exclusions in anti-virus software. Can anyone recommend some behaviour that I can put together in a quick script which would trigger a typical realtime anti-virus scanner?

+3  A: 

Most antivirus programs work on a signature database, not heuristic detection, so most of them won't notice anything at all unless you write a program with the same signature as one that they're looking for.

If you do have a heuristic-based detection program, just try some obvious virus behavior like modifying settings that control which programs launch at startup, checking processes for common antivirus program names, etc. You may be able to look up documentation for your specific program and find out exactly which heuristics it uses to try and detect viruses based on behavior. It'll be pretty hard to find much of use by just firing off "a virus might do something like this" behaviors blindly.

Chad Birch
+1  A: 

Back in 2000 there was the ILOVEYOU virus (love bug) which was just a VBScript that overwrote files on the infected machine with copies of itself and emailed itself out through Outlook. The Outlook hole has been fixed but the part about copying itself over all files of a specific extension is a good heuristic to try and copy.

Jeremy
+5  A: 

Are you looking for something like the Eicar test file?

If you want to hand-code virus-like behaviour, I can tell you that I've had trouble with anti-virus applications and the LowLevelKeyboardProc() and SetWindowsHookEx() functions. If the anti-virus application uses heuristics, it usually warns about keylogger-like actions.

John T
The Eicar test file is the standard way to test anti-virus in a safe way.
Douglas Leeder
+1 for the Eicar link. Neat stuff
joveha
+1  A: 

Here's an interesting article on behavior based detection, it's old but it sounds like that might be what you are looking to do.

http://www.securityfocus.com/infocus/1557

Also you may want to take a look at SARC (Symantec Antivirus Research Center). If you look into some of the latest threats, the technical details and removal instructions clue you in on what they do when infecting the system.

Here's an example:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-050707-0639-99

atom255
Interestingly it is not straight forward to rule out legitimate activity. These days plenty of apps get installed, change files, the registry, talk to the Internet etc.
atom255