對資訊安全研究人員而言,測試、模擬特定的環境與實驗是至關重要的。尤其面對猖獗的電腦病毒(如勒索病毒),如果我們使用病毒實體進行各項資安測試,將潛在高風險。
通常防毒軟體、企業級防火牆大多以「特徵碼」偵測病毒或其它攻擊,理論上誤判的可能有,實際上不易發生。
這篇文章會以最簡易的方式帶您體驗防毒軟體如何擋下攻擊、銷毀不安全的檔案,即使您是不具備資訊專業的使用者!我將示範EICAR。
首先,在任何一個目錄(如桌面或D槽下)新建記事本,並編輯其內容,內容可以複製特徵碼到記事本貼上:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
並另存可執行檔(在微軟系統變更附檔名請參考這裡),如圖
第二,在Windows search box輸入關鍵字defender應該就會出現「Windows 安全性」,請打開它
第三,依序進入「病毒與威脅防護」->「掃描選項」->「自訂選項」,並「立即掃描」;按下立即掃描後,選擇資料夾位置,例如我在桌面上創建一個目錄名為Lab environment
掃描完成後,Windows Defender將顯示安全報告,並認為virus.exe是一種DOS攻擊。
以上是防毒軟體阻擋攻擊的形式之一,未來有機會我再提供企業型防火牆阻擋攻擊的示範。
For researcher of information security, test or simulate specified environment and experiment is very important. Especially, that Ransomware. If we use instance of virus doing any security test, it is much dangerous.
Usually, antivirus software and enterprise firewall are detect virus or other attacks by 「feature code」. In theory, it maybe misjudgment, but very few.
This article use the easiest method, to demo that antivirus software how block attacks. Even if you are not information professional! I will demo EICAR.
First, In any directory(desktop or disk D) to create notepad, and edit its content. You can copy the feature code and paste to notepad:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
And then, save as an .exe(If you change filename extension in Windows OS, please refer here), following
[image]
Second, enter keyword for 「defender」 in Windows search box. You should to get 「Windows security」, please open it
[image]
Third, in order enter 「Virus and threat protection」->「Scan option」->「Manual option」, and 「scan immediately」; After enter 「scan immediately」, select where directory. Such as I created a directory that named Lab environment in desktop.
[image]
After scan finished, Windows Defender will show security report. And it think virus.exe is some DOS attack.
[image]
Above, is antivirus software method for block attack. I will provide enterprise firewall demonstration that block attack in future.
留言列表
