Most of us have security software such as an antivirus, antimalware, firewall or Host Intrusion Prevention System (HIPS) installed to help protect our computer against known or unknown malware. Malicious software can be very sneaky, getting onto your computer when you least expect it and stay hidden until the security software finally detects it. By then, the damage has already been done since the virus has been active and you wouldn’t know what information has been stolen from your computer.
The question is, how do you know if the antivirus or antimalware installed is actually protecting your computer? The program would probably state that your computer is protected or the protection is enabled but how can you be sure that it is really working and confirm if the antivirus or its virus definition hasn’t been tampered with? Searching for a real virus from the Internet and downloading it to your computer just to test if your antivirus can detect it may not be the best option because you’re risking your computer being infected by it if you’re not careful.
Here we have 6 ways how you can safely test your antivirus to see if the real time protection is truly enabled and working to protect your computer against viruses.
A few antivirus researchers have come up with a harmless file that is detected as if it were a virus and is distributed at EICAR. So in short, the EICAR antimalware test file does nothing and is absolutely harmless even if it is run on the computer. The EICAR test file can be easily created with a Notepad that starts with the 68 characters below and save it as COM or EXE extension.
If your antivirus real time protection is working, it should automatically detect the EICAR as a threat and remove the file from your computer.
If the EICAR test file is not being detected, there is something wrong with the antivirus program and you should check the real time protection settings, try reinstalling, or maybe it is a rogue/fake antivirus program. At the time of writing, 49 out of 52 antivirus from VirusTotal is able to detect the EICAR antivirus test file.
2. Comodo Leak Tests
The Comodo Leak Tests program is created by security company COMODO who are well known for their free antivirus which is also allowed to be used commercially on corporate and business environment.
The Comodo Leak Tests tool is actually meant to test for leaks in firewall and HIPS programs but most antivirus nowadays have behavioral analysis to detect if an unknown program is performing an action that can pose a security risk on a system. All you need to do is run the program and click on the Test button which will automatically run 34 different tests ranging from rootkit installation, invasion, injection, sending information, impersonation, and system hijacking.
As you can see in the screenshot above, Trend Micro Titanium Internet Security blocked the program because it detected suspicious behavior.
3. Trojan Simulator
Trojan Simulator is a program that simulates a trojan being installed on a computer by adding a startup entry in the registry at HKEY_LOCAL_MACHINE and runs the harmless TSServ.exe file in memory. This is what a common and simple trojan would do but the more sophisticated ones would use advanced technique such as rootkit installation.
To test Trojan Simulator on newer Windows operating systems such as Vista, 7 and 8, you will need to right click on the TrojanSimulator.exe and select “Run as Administrator” or else you will receive an error message saying “Failed to set data for TrojanSimulator”. Quite a number of antivirus can already detect Trojan Simulator. So if you can’t download or run Trojan Simulator because your antivirus blocked it, it is a good sign that your antivirus is working.
4. System Shutdown Simulator
System Shutdown Simulator has the ability to create the EICAR antimalware test file with the click of a button but it goes further by letting you test if the EICAR can be detected when an antivirus most likely would have been closed when a system shutdown is being initiated. Other than that, it can also create an auto start registry entry to test HIPS and also a silent download and automated execution of file for firewall testing.
The steps to use System Shutdown Simulator are pretty self explanatory. Run the program as administrator, click on Intercept System Shutdown Call button first. Then, click on the Shutdown Computer button where your computer will attempt to shut down but will notify you that an app is prevent you from signing out. Click the Cancel button to call off the shutdown and once you’re back in desktop, you will probably notice that the antivirus program icon at the notification area is no longer there. Now try clicking on “Create Eicar Test File” button and see if your antivirus is able to warn you that it detected Eicar test file.
5. Zemana Simulation Test Programs
Zemana is the maker of AntiLogger which is very effective against zero-day malware that is yet to be detected by antivirus software. They’ve created and released 3 test programs that simulate the functionality of a keylogger, webcam logger, and a clipboard logger that are normally present in a trojan.
Your antivirus software might not detect any suspicious activity from the Zemana simulation test programs because they simply only activate one of the actions which is not enough to trigger the alert. An antivirus software is meant to be smart and not to nag you on every action it detects on your computer. Skype is an example of a legitimate program that may enable your Webcam for web conferencing and it doesn’t make sense for your antivirus to block it or to ask you for further actions.
6. SpyShelter Security TestTool
SpyShelter is a competitor of Zemana and their security test tool contains a lot more actions such as sound recording, system protection, screenshot & webcam capture, keylogging and clipboard monitoring. The screenshot test itself contains 11 different methods that can be used by a malware to capture screenshots on your computer.
Similarly to Zemana Simulation Test Programs, your antivirus software may not complain when you activate any of the monitoring functions from SpyShelter Security TestTool. Weirdly Trend Micro Titanium Security actually detected and blocked the program when we tried the “Registry access test1” from System protection. That detection only happened once but not again when we retested it.
Final Note: We would like to stress that all of the mentioned programs above to test if your antivirus real time protection is working or not are harmless even if they are detected as a threat. If your antivirus detects any of the simulation test programs above, then rest assured that your antivirus is working. If not, you should double check the antivirus software installed on your computer.