RITE: Windows AntiVirus Daily Test

1. create a new user on the target PC. Remember that using a Virtual Machine is not possible without server modifications;

2. install AV by using the AV-specific configuration described in the KB and update its signatures (and if possible its engine) to the latest version;

3. install all Important, Recommended and Optional Windows updates and reboot the machine;

4. turn completely off Internet and check with a browser that ID addresses 198.41.209.140 and 173.194.35.176 aren't reachable;

5. log in the server by using a user with all the roles enabled and member of the group test. This group has to be enabled in order to manage the operation AOP_Test;

6. delete completely the operation (by holding the shift key), then recreate it and create also a target inside it;

7. create a new Desktop factory and import the attached config_desktop.json as the configuration. Remember to set the anon in the sync module to one anon of the test server.

!!! ⇒ Automatic tests, as of now, use an advanced configuration for the scout which is now forbidden by the console; so manual tests are not 100% equals to automatic tests: in manual test is needed to use a basic configuration and push the provided configuration after the agent upgrade (to Elite). Regarding configuration, remember that the position is enabled and so it consumes Google Api quota.

1. build a Silent Installer (scout) agent and save the ZIP file:

• in case of MELT test, use one of the 4 exes provided (Firefox, Vuze, uTorrent or Air). Use the provided files, because version matters;

• in case of Demo test, create a silent installer Windows by selecting Demo Mode;

• in case of Elite Demo test (Elite Demo creates and installs an already Elite agent and not requires upgrading it), create a silent installer by selecting Demo Mode and Elite (this is a very uncommon test);

• in case of Exploit txt, create an Exploit Windows with file type TXT and Executable Document by attaching the provided meltexploit.txt file;

• in case of Exploit pdf, create an Exploit Windows with file type PDF and Executable Document by attaching the provided meltexploit.pdf file;

• in case of Self Deleting Exploit, create an Exploit Windows with file type EXE and Self Deleting Executable.

2. copy the downloaded ZIP file from RCS downloads to the target (the destination folder is C:\AVTest\AVAgent\build.zip);

3. extract the agent into the folder C:\AVTest\AVAgent\build\windows\ (create the folder if necessary);

4. create a copy of each extracted file with the name %s.copy.exe by verifying that no copy error occurs due to AV detection;

5. wait for 15 seconds;

6. check that every extracted file or file copy is still present.

1. run the agent (in automatic tests the execution is launched by python.exe, so the behaviour may differ). In case of MELT test, the agent is copied in startup but is not launched; in this case:

• wait for 60 seconds after running the installer;
• if the agent is not installed into startup the test is failed;
• run the agent from the startup.

2. wait for 300 seconds;

3. for up to 10 times (or when an instance is found) do:

• trigger sync by moving the mouse for 30 seconds;

• check if a new instance with the value Device valorized as the target hostname;

• click 10 times.

4. if after the iterations there isn't a new instance, the test is failed;

5. check the level of the agent:

• if the test is Melt or Exploit (txt, pdf, self deleting):

a. check again that the agent was installed into startup;

b. close the instance from the console;

c. TEST IS COMPLETE, GO TO Check uninstallation.

• if the test is Elite Demo and the level is Elite:

a. close the instance from the console;

b. TEST IS COMPLETE, GO TO Check uninstallation.

• in all other cases, if the level is not Scout, the test is failed.

!!! ⇒ At this point we have a scout syncing.

1. wait for 30 seconds;

2. log off and log on in Windows;

3. from now on, check if the AV on the target shows popups or other warnings;

4. press the Upgrade button on the server and check the popup. The popup should propose the expected upgrade (Elite, Soldier or not possible for blacklisted AV), otherwise the test is failed;

5. upgrade the agent (by confirming the upgrade in the popup);

6.

    [FAST MODE]:

• wait for 300 seconds;

• for up to 10 times (or when the required level is reached) do:

a. move the mouse for 30 seconds;

b. wait for 60 seconds;

c. check in the console if the agent has reached the required level;

d. if the not upgraded and required level is Soldier, terminate all the running agent(s) and launch it again from startup;

e. click 10 times.

    [SLOW MODE]:

• wait for 25 minutes;

• check in the console if the agent has reached the required level.

7. check in the console that the agent has reached the required level, then (for soldier) terminate the agent execution.

1. try to run again the scout (for Elite, Demo and Soldier);

2. for up to 10 times (or when the required level is reached) do:

• wait for 30 seconds;
• move the mouse for 30 seconds;
• click 10 times;
• check in the console that the agent retains the required level.

1. close the instance from the console;

2. check uninstallation. For up to 5 times or when uninstalled:

• check if the machine is infected:

a. check startup dir (for executables and tmp files);

b. check registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• logoff and logon in Windows;
• wait for 360 seconds;
• move the mouse.

• Console must show a closed and uninstalled instance of the required level.

• Agent must be completely uninstalled from the target (startup and registry).

• AV has not to show any popup.