I am new to the Testing Av products thing Still Learning from websites I find on the internet that have good info on zero day malware. I am stuck with windows 7 home premium so I can't really open up a good virtual machine. so If you can give me tips or help. I would greatly appreciate it.
I don't see why you can't open up a good virtual machine in 7 home premium, but in any case, if it's limited hardware that's the problem then this may help:
I'd like to share how I used to do my testing (I no longer do tests). See if you can get anything from it:
What I need:
Bootable Linux USB
GParted
Hiren's BootCD
1 Linux
Dual-boot XP's: FAT32 and another with NTFS. I'll refer to them as XP1 and XP2)
XP1 has FAT32 file system, Sandboxie, and whatever suite I'll be testing, ProcessHacker, Unlocker
XP2 has NTFS file system with custom file permissions for particular folders, LUA+EMET+Wondershare Time Freeze 2, Easy File Locker, Unlocker, Sandboxie+BSA, and my preferred security setup
1. Before running tests, make sure that the AV (I'm assuming you're testing a suite or an av) is already updated.
2. Download the samples via Linux and archive them to keep them from running. Copy them on the XP system
3. In the XP system, I have Sandboxie installed and force IE to be Sandboxed whenever it is run.
4. Final updates before extraction. Turn off the wireless router.
5. Extract and run EACH malware in an isolated folder (I mean to say in a folder of its own). This is strenuous and time-consuming, but it allows you to identify which went undetected. This will be helpful in tracking it down later.
6. List down detected and undetected malware. Undetected malware are copied from the Linux built and analyzed via ThreatExpert/Sandboxie+BSA (if upload fails). Behavior is analyzed and logged in a text file. Copy the text file to the bootable USB.
7. Boot from the Linux USB and manually remove remnants. (Do this while still possible. You don't want errors while formatting. Too time-consuming and wears out your patience and hard drive.)
8. Reboot to confirm activity. If no activity is traced, proceed to formatting and reinstallation.
I had no trouble with this setup before.
Backing up your MBR is also important. In any case, having separate systems to do your testing is better. This method of testing not only ensures I know which suites are good at what they do, but it also helps me understand further what could have been the cause of the failed detections, whether they were justifiable or not. It also ensures that all the malware will work accordingly (since I've discovered in one of my tests, some of them are able to detect sandboxes and vm's, and refuses to run if in one).
Analyzing malware behavior also allows you to develop methods to counter or better yet, prevent malware from activating or at the very least, spreading. This method helped me recognize the use of NTFS file format in helping minimize the damage and spreading of Autorun Viruses as well as how to detect, bypass, and finally eliminate shortcut viruses at a time they were still proliferate and many went undetected.
As per OS choice, that's entirely up to you and your hardware. Some work, some doesn't. You can't learn if you don't make mistakes. The process I use is rather time-consuming and difficult. It can still be improved, but I no longer do tests. It's up to you if you'd choose the same method or another.
Good luck!
Author