6.8 Penetration Testing
Pen Testing for Trojans and Backdoors
- Scan the system for open ports, running processes, registry entries, device drivers and services.
- If any suspicious port, process, registry entry, device driver or service is discovered, check the associated executable files.
- Collect more information about these from publisher's websites, if available, and Internet.
- Check if the open ports are known to be opened by Trojans in wild.
- Check the startup programs and determine if all the programs in the list can be recognized with known functionalities.
- Check the data files for modification or manipulation by opening several files and comparing hash value of these files with a pre-computed hash.
- Check for suspicious network activities such as upload of bulk files or unusually high traffic going to a particular web address.
- Check the critical OS file modification or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy.
- Run an updated Trojan scanner from a reputed vendor to identify Trojans in wild.
- Documents all your findings in previous steps; it helps in determining the next action if Trojans are identified in the system.
- Isolate infected system from the network immediately to prevent further infection.
- Sanitize the complete system for Trojans using an updated anti-virus.
Penetration Testing for Virus
- Install an anti-virus program on the network infrastructure and on the end-user's system.
- Update the anti-virus software to update virus database of the newly identified viruses.
- Enable real-time scanning.
- Scan the system for viruses, which helps to repair damage or delete files infected with viruses.
- Scan the system for running processes, registry entry changes, Windows services, startup programs, files and folders integrity, and OS files modification.
- If any suspicious process, registry entry, startup program or service is discovered, check the associated executable files.
- Collect more information about these from publisher's websites if available, and Internet.
- Check the startup programs and determine if all the programs in the list can be recognized with known functionalities.
- Check the data files for modification or manipulation by opening several files and comparing hash value of these files with a pre-computed hash.
- Check the critical OS file modification or manipulation using tools such as TRIPWIRE or manually comparing hash values if you have a backup copy.
- If suspicious activity is found, isolate infected system from the network immediately to prevent further infection.
- Run the anti-virus in safe mode and if any virus is detected, set the anti-virus to quarantine or delete infected files.
- Install another anti-virus and scan the system for viruses.
- If virus if found set the anti-virus to quarantine or delete the infected files.
- If virus is not found, format the system with a clean operating system copy.
- Document all the findings in previous steps; it helps in determining the next action if viruses are identified in the system.