Endpoint Protection

 View Only

  • 1.  SEP 14 - Testing Generic Exploit Mitigation

    Posted Jun 05, 2017 12:44 AM
    Hello,
    I am working on a user acceptance test for a customer.
     
    Are there any tests that I can run to test the generic exploit mitigation functionality in the SEP 14 client?
     
    Cheers
    Cameron Mottus

     



  • 2.  RE: SEP 14 - Testing Generic Exploit Mitigation

    Posted Jun 05, 2017 07:16 AM

    At present, I don't see they have any publicly available tools to test this safely. You may have to download actual live samples in a test environment and run your testing that way based on what GEM blocks:

    http://www.symantec.com/docs/HOWTO125353

    Perhaps they do have something available but it is not yet been released to the public.



  • 3.  RE: SEP 14 - Testing Generic Exploit Mitigation

    Posted Jun 05, 2017 02:43 PM

    Any testing I've needed to do I just used the EICAR string.



  • 4.  RE: SEP 14 - Testing Generic Exploit Mitigation

    Posted Jun 05, 2017 02:45 PM

    And this works specifically for GEM testing?



  • 5.  RE: SEP 14 - Testing Generic Exploit Mitigation

    Posted Jun 05, 2017 02:55 PM

    I suppose it has zero to do with GEM and is not relevant to the topic.



  • 6.  RE: SEP 14 - Testing Generic Exploit Mitigation
    Best Answer

    Posted Jun 05, 2017 09:30 PM

    You can use the following live malware from VirusTotal or something similiar to show GEM but you will need Abobe 9 installed on the client.  The MD5 is "29c641fd54a574d31d16ad16d3cdcb52". You can grab Adobe 9 from OldApps.com.  Also, if your handy with Metsploit/Armitage you can use the following exploit "adobe_flash_hacking_team_uaf".  This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. The module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.  You can grab a vulnerable version of Adobe Flash from OldApps.com as well. 

     

    Hope this helps!



  • 7.  RE: SEP 14 - Testing Generic Exploit Mitigation

    Posted Jun 06, 2017 02:43 AM

    We used Hitman Pro.Alert's free Exploit Test Tool to verify our implementation of Microsoft EMET: https://www.hitmanpro.com/en-us/downloads.aspx

    When all our clients have been upgraded to SEP 14, we plan to redo the test (after uninstalling EMET).

    (Remember to rename the .exe to something that is protected by GEM, for example: acrobat.exe)



  • 8.  RE: SEP 14 - Testing Generic Exploit Mitigation

    Posted Jun 20, 2017 05:47 PM

    Thank you all for your responses!

    From what it looks like, there is no tool like eicar or socar to trigger GEM. The expoits noted ​by BJacobs are good for proving the technology works but not really workable at a customer site as they may not meet all of the listed requirements.

    I think I will not include GEM on my UAT at this point unless a customer specifically asks for it. If Symantec comes up with a way to trigger GEM for testing purposes I will add it in to the standard UAT.

    Cheers!