topic Malware Test Files in Endpoint Security

Malware Test Files

Josh M — Wed, 15 Jan 2025 13:31:13 GMT

Hi everyone,

I'm doing a demonstration soon for some stakeholders at my org as a way to showcase Cisco Secure Endpoint's automated isolation functionality and adopt this measure across the org. I was wondering if anyone here has ever tested this function through the usage of things like eciar.org's malware test file to generate alerts and isolation events.

I've tested this EICAR file and it typically generates a Medium severity event in Secure Endpoint, but I'm primarily looking for a way to trigger a High or Critical event reliably. Has anyone here ever tested this or know of a method to designate certain files to trigger events at a certain severity?

Re: Malware Test Files

Roman Valenta — Wed, 15 Jan 2025 17:12:16 GMT

It depends what you like to see but in general and also easy to replicate HIGH event is setup DFC by going to

Outbreak Control -- > IP Block & Allow List -- > Block IP List

In fact you can use the same IP its just random IP from Internet. Then make sure you apply this list in the policy under:

Outbreak Control -- > Network - IP Block & Allow Lists

Then go to the endpoint open CLI and try SSH to that IP:

ssh 45.85.235.39

You should get High event in your console like the on bellow.

Hope this helped

PS: This is of course not a Malware for those you would probably have to be creative perhaps try search GitHub for some script that will fake attack like this

Re: Malware Test Files

Josh M — Wed, 15 Jan 2025 18:01:07 GMT

That's very helpful! Thanks for the suggestion- I'll do some testing with that.