Let’s continue from where we left off: in our previous article, we have created a new External Agent definition file. Now, let’s test it.
Obtaining the test file
To test the Agent, we will use the so called EICAR test virus file. EICAR is short for European Institute for Computer Antivirus Research (it reminds me of some super villain organization like SPECTRE in the James Bond series :) EICAR designed a test file, (an innocent, executable string), to test the integrity of antivirus software. You can obtain this test file in various formats (simple text, COM file, COM file in a ZIP etc) from this page. I recommend using the zipped one, as this way we can test whether the agent finds viruses in archive files as well.
After downloading the test file, we should send it in an email to a local recipient. The test email should arrive from an external IP address, as ORF treats the localhost address (127.0.0.1) and class A, B and C private intranet addresses as they were part of the Intermediate Host List, so emails from these addresses are whitelisted by default in order to prevent blacklisting internal and outgoing emails (see Pros and Cons in Part 2). This means if you send the test mail from an internal IP, it will be whitelisted and the External Agent test will never be triggered.
Sending the test emails
You should either use an external email provider to send the test file (e.g. Gmail), or “trick” ORF to believe the email has arrived from an external IP. The first method is easier, though keep in mind that some email providers may filter their outgoing emails as well, and their anti-virus solution may remove the test file before it would reach ORF.
The second solution can be achieved by adding a “Received: from” MIME header line to the email. As you probably know, ORF extracts the delivery path information from the MIME headers at the On Arrival filtering point (see Header analysis in ORF Help), so by adding an external IP as the source, ORF will skip the local IP and think the email came from the next (non-local) delivery hop.
To ease things, we have built an email with EICAR attached and with an IP from the so called APIPA range as the source (because this falls out of the above mentioned private intranet ranges, so whitelisting will not be applied in ORF).
All you have to do this is save this file, extract the contents to an arbitrary directory (password: virustest), open the EML file with Notepad, and copy the entire contents of it. Now let’s start a command prompt and telnet to port 25 of your local server (e.g. telnet 127.0.0.1 25). To learn how can you send emails using telnet, please read this article. This Wikipedia article may also come in handy.
After you issued the DATA command during the SMTP conversation, paste the contents of the EML file, and hit enter. Finally, finish the DATA phase by typing a single dot (“.”), hit enter again and wait for the magic to happen.
You should receive something like “550 5.7.1 Message rejected. VirusScan found virus in the message” (or the SMTP response you configured) if the agent works. If the email was allowed through, you should check the ORF logs using the ORF Log Viewer: it is possible that it was whitelisted for some reason.
Note that this method can be used for testing any of the On Arrival tests of ORF. “And what about Before Arrival?” you might ask. Well, we will reveal that in our next article, so stay tuned…
Pingback: eicar test virus - StartTags.com