Verifying functionality of Forefront Security for SharePoint 2007

Recently, I worked with a customer who was installing Microsoft Forefront on their soon-to-be-deployed MOSS farm. It occurred to me that finding a good way to test its base functionality was probably something useful to know. Enter the EICAR anti-virus test file. Using a simple text file consisting of standard ASCII characters, which is then renamed to a .COM file, you can effectively test general functionality of Forefront in your MOSS farm.

Since .COM files are blocked by SharePoint by default, the first step is to temporarily restore the ability to upload .COM files within SharePoint (don't forget to disable it once you're done testing). To do that, from within the Operations tab of Central Admin, select “Blocked File Types” under the Security Configuration section (/_admin/BlockedFileType.aspx).

image

Remove “com” from the list, then click OK. This will allow you to upload files with the .COM extension.

Next, open notepad and paste in the following characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Save it, then rename it to test.com (or use your favorite name as long as the extension is .COM). Finally, upload it to a document library. You should receive the following if all goes well:

image

In addition, you should see the following in the application log:

Event Type: Information
Event Source: FSCRealtimeScanner
Event Category: Scan Results
Event ID: 3005
Date: 8/26/2007
Time: 10:27:04 PM
User: N/A
Computer: COMPUTERNAME
Description:
Realtime scan found virus:
Folder: **During Cleaning**
File: test.com
Incident: VIRUS= DOS/EICAR_Test_File (Microsoft,CA(Vet),Command)
State: Suspended

If you prefer, you can also simply save your test file mentioned above with a ".DAT" extension and upload it directly, without having to first unblock .COM files from being uploaded.  The result will be the same and it will get flagged as a virus, etc.

Congratulations, you caught your first "virus".

Comments

  • Anonymous
    August 04, 2009
    The comment has been removed