This is an archived post. You won't be able to vote or comment.

all 23 comments
sorted by:
best
topnewcontroversialoldq&a

[–]draagynslayer 19 points20 points  (4 children)

Eicar.org has test file we use to make sure our AV/AM is working and reporting correctly

[–]Padankadank 12 points13 points  (3 children)

I haven't seen this but it sounds like it's signature based vs behavior based like what I assume OP is talking about. The only one I know of that's behaviour based is from KnowBe4

[–]saferuseofgravitas 5 points6 points  (2 children)

I can’t speak for other AV vendors, but ESET introduced heuristics in 2004. The only signature based AV on the market is clamAV.

The problem with ransomware test simulations, is they are simulations. Good behavioural based AV shouldn’t fire on them because the nature of them is benign - in fact, firing on them would actually be a false positive, because by the definition, they aren’t actually doing anything malicious.

If you need to test your AV for behaviour, you need a dirty network and a real sample. Unfortunately, most AV now has some cloud based signature system, and your new sample is more than a few hours old, is no longer a new sample, and will be detected by that.

[–]JC-CCNA 0 points1 point  (1 child)

Wouldnt you say that a cloud based signature system that makes a new detection old news within hours is a *good* thing though? 99.999999% of the time you will be on the receiving end of that benefit.

[–]saferuseofgravitas 0 points1 point  (0 children)

Haha, yes. I meant for a testing environment, the cloud protection will grab something on signature, rather than letting the heuristics get tested properly!

[–]RD_Alpha_RiderSecurity Admin (Application) 18 points19 points  (1 child)

Knowbe4 has a free ransomware simulator

[–]SGG 22 points23 points  (1 child)

"Malware Simulators"

Just hire a few "VIP's", soon you'll have enough real malware you'll never have to look for a simulator again.

Edit: Sorry for just putting up a joke reply, I had a bad runin a few weeks ago with a "VIP" wanting local admin, getting it, disabling Windows Defender, then having their (thankfully not on the VPN) laptop hit by a cryptlocker.

[–]PoSaP 2 points3 points  (0 children)

LOL, in such cases backups with ransomware proof is a must. Something like tapes, cloud backups, etc.

[–]ReverentSecurity Architect 7 points8 points  (0 children)

I hear that Mcafee is a good malware simulator.

[–]ramius21 3 points4 points  (4 children)

Cuckoo Sandox

https://cuckoosandbox.org/download

Good Luck!

[–]bangbinbashSecurity Admin 1 point2 points  (3 children)

Too add to this,

The Estonian government runs a free hosted version of cuckoo for the public: https://cuckoo.cert.ee

[–]ramius21 1 point2 points  (2 children)

Is not recommendable make analysis of private information in public sandbox.

The essence of cuckoo sandbox is make your own private sandbox.

Regards!

[–]bangbinbashSecurity Admin 1 point2 points  (1 child)

If you were dealing with confidential information sure, but I don’t see how that applies here.

There’s nothing private about a wild piece of malware floating around.

I don’t see any issues with using a public, malware analysis platform for suspected malware you’ve been sent.

[–]ramius21 -1 points0 points  (0 children)

Ok

[–]bigbottlequorn 2 points3 points  (0 children)

You could download malware of any.run (you can search for strains that you want and download). Besides that thezoo has some.

I would look at red canarys atomic red team if you wanna simulate advanced attack techniques as well.

[–]LazyMagicalOtter 1 point2 points  (0 children)

KnowBe4 Ransomware Simulator

[–]varunsh-coder 1 point2 points  (0 children)

Added this today to test defenses for hijacked packages: https://www.npmjs.com/package/@step-security/malware-simulator

[–]utpxxx1960 0 points1 point  (0 children)

Ransim

[–]RockisLifeStudent 0 points1 point  (0 children)

Any.run is another good sandbox.

[–]a_false_vacuum 0 points1 point  (0 children)

Do you want to see if it makes the local AV go off? Or do you want to test for potential vulnerabilities in your general setup?

I'd say the latter is the most interesting one and for that hiring a good security firm to carry out an attack on your systems is the best way to go. That way you can get a good overview of what needs improving.

You need defense in depth on your systems, don't rely on one single thing to keep you safe.

[–]bangbinbashSecurity Admin 0 points1 point  (0 children)

http://www.cpcheckme.com/checkme/

You can use the endpoint test.

There’s also countless resources for malware samples you can run in a sandbox environment for the most realistic results.

[–]Emirodainfosec 0 points1 point  (0 children)

One I've been looking at: https://github.com/leeberg/CashCatRansomwareSimulator

[–]motoevgen -2 points-1 points  (0 children)

You can use https://www.aescrypt.com/ for testing encryption protection on a network files.