How to test malware protection?

From what I read it sounds like Endgame malware protection is definition-less? Is that correct? Is it based solely on behavioral analysis? I'm testing out Elastic Security, just pushed my first Elastic Endpoint deployment to a test Windows 10 machine, and downloaded the EICAR test file. It did not detect it, which I guess would make sense if the protection doesn't rely on definition files. Is there a good way to verify the malware protection is working?

You will need to use a remote exploit tool like Metasploit or nmap with custom scripts. I would highly consider turning on Defender to run the disk level checks at this point endpoint is still beta. As much as I hate to say it I've had a very hard time testing Endpoint all malware I've tossed at it has gone undetected but it's mostly been traditional methods so Defender, Malwarebytes or some other tend to catch it before hand.

Endgame "Endpoint now", Vmware Carbon defense, Cylance tend to be far better at catching stuff in process drop or active events. They do fairly poor at catching stuff sitting on disk like Eicar which normally get's caught by Chrome, Firefox, Edge before it even get's saved by default.

I've used various gen2 av like endpoint in the past and they have always been pushed to a 2nd level workstation defense not a primary as they allow for malware to spread at least at file level which is terrible from a security standpoint. Just because malware hasn't run doesn't mean it can't make it's way to another workstation without working AV and start up.

2 Likes

Since Elastic Endpoint uses a machine learning model it does not detect the EICAR test file.

Elastic Endpoint detects malware when it is written or executed. Mimikatz on Windows and Aircrack-ng on macOS will trigger alerts.