Palo Alto Networks - HOW TO TEST THREAT DETECTION USING EICAR TEST FILE VIA HTTP

Eicar.org used to provide the following HTTP links to download Eicar test file.


http://2016.eicar.org/download/eicar.com

http://www.eicar.org/download/eicar.com


Some customers kept the links and try to download the files using the links. When Eicar test file is downloaded using the HTTP links above, it is not detected on the firewall by either "Eicar File Detected(39040)" (Type: vulnerability) nor "Eicar Test File(100000)" (Type: virus).


This started happening since around the middle of July 2020.


Cause

A change was made on Eicar.org around the middle of July 2020.


Here's the screenshot of the portal site (https://www.eicar.org/?page_id=3950).



(Screenshot was taken on Aug 25 2020)



Eicar.org changed the behavior to redirect all 'http' requests to 'https'. (It may change again in the future.)


This can be confirmed by running a curl command or by looking at a packet capture.

$ curl http://2016.eicar.org/download/eicar.com

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>301 Moved Permanently</title>

</head><body>

<h1>Moved Permanently</h1>

<p>The document has moved <a href="https://www.eicar.org/download/eicar.com">here</a>.</p>

</body></html>


Resolution

Since the traffic is redirected to https, SSL decryption is necessary to detect Eicar test file on the firewall.


As a workaround, please use your own server. For example, if you already have a web server (Apache, Nginx, etc), place the Eicar test file on the server and download it through the firewall using http.


If you do not have any server to use, but if you have a PC that runs Python, simple web server can be used.


Python2:

$ python -m SimpleHTTPServer 80


Python3:

$ python -m http.server

6 views0 comments