If you're hitting section 5.1.1 of PCI DSS and want to verify that all anti-virus programs detect, remove, and protect against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits), then what do you do?
How do you test anti-virus software actually works?
I've been using the EICAR test string for a number of audits recently and find it very useful as a means to see whether or not an AV scanner will actually pick up this ‘test string' that is built into all of them and function as intended.
Too often than not, people just buy an anti-virus solution and don't test it, as obviously they don't have access to malicious code.
The inclusion of “rootkits” is awkward. No software based anti-virus tool can pick up malware that is running hidden in the master boot record or separate partition on the hard drive. Namely master boot records don't have reference points, so they are ‘assumed clean' when you install an AV product. Ooops.
Anyway – we won't go into that, but please do use EICAR if you've not had a virus to play with for a while and do check AV solutions are configured properly.
A few times I dump the EICAR test file onto a Desktop, it doesn't disappear. So PCI DSS audit failure – viruses obviously don't get removed.
Likewise, the EICAR file actually manages to make it's way onto the Desktop in the first place. So PCI DSS audit failure – systems aren't being protected and viruses aren't being detected.
Interesting, as this is the default configuration of many enterprise anti-virus systems – out of the box, they don't pass PCI DSS… but then neither does Windows, so I'm onto a bit of a loser there.