Content IQ Test Banner

Take the Content IQ Test!

Green and Red Apples In addition to being highly polymorphic and therefore immune to signature based security technologies, today's threats are hidden deep within the content that's handled by client applications, and are often not visible in the packets that are used to transport that content over the network. Many network security systems, like firewalls, "next-generation firewalls," intrusion prevention systems and network forensics systems, claim to be "content aware" and to offer visibility over the content that's flowing over the network. The Content IQ Test is an easy test you can run yourself that will help you judge how "content aware" your network security system really is.

Each of the Test Files listed below contains the string*: Target String This is the "target string". It's a little piece of simulated malicious JavaScript. It is totally safe and does absolutely nothing at all.

The purpose of the test is to gauge the network security system's ability to find the actual target string in the content. In the real world, you would not know where the threats were coming from or what the exact delivery vehicle would be. The objective is to create a single content rule that fires on all of the Test Files but not on any of the Negative Control files. So triggering on the test files' URLs or HTTP headers or filenames or MD5 hashes and stuff like that is cheating and it doesn't count. If the teacher catches you, you're going to be in trouble!

* Note: In the test files where the target string is embedded in a Windows executable file (e.g. Test Files 20, 21, 26 and 27), the characters in the target string are separated by ASCII NULL characters. In PCRE syntax, the target string, when compiled into an exe file, would appear as e\x00v\x00a\x00l\x00(\x00u\x00n\x00e\x00s\x00c... So your rule should look for both the target string as depicted above in red and the NULL-separated version.

To test your network security system's Content IQ™:

 

Test Files

Set up your network security system and download the test files. Every test file contains the target string. In some of the test files the target string is surrounded by some "Lorem ipsum" filler text - in this case the text containing the target string is referred to as the "target text". In some cases the target text is contained in a file that's embedded in the test file - in this case the file containing the target text is referred to as the "target file".

There are two ways to download the test files: manually or automatically.

If you want to do it manually, just click on each of the Test File links in the test groups below and the test files will be downloaded by your browser. This method takes a little longer, but you end up with all of the test files in your Downloads folder.

To download the test files automatically, just click on the link below. Note that it will take several seconds to download all the test files, more if your network connection is slow.

Click Here to Download All Test Files Automatically

 

 

Group A. Basic Content Test Files
The files in this group are basic content test files. They are meant to illustrate how common it is to have files that contain content which is not visible in the packets. These are the warm-up files.

Test File 1. Target file embedded in a mime-encoded email (.eml) file with base64 transfer encoding.

Test File 2. Target text pasted into the body of a Microsoft Word 2011 document.

Test File 3. Target text pasted into the body of a Microsoft Excel 2011 document.

Test File 4. Target text pasted into the body of a Microsoft PowerPoint 2011 document.

Test File 5. Target text pasted into the body of a PDF document.

Test File 6. Target file "attached to" a PDF document.

Test File 7. Target file compressed with Zip.

Test File 8. Word test file sequentially compressed with Zip, Tar and Rar.

Test File 9. Target string embedded in metadata of Excel file as a custom property.

 

Group B. Test Files with Auto-Executing Embedded Active Content
These files contain embedded auto-executing active content, in this case either JavaScript in PDF or ActionScript in Flash. Active content embedded in desktop documents that auto-executes when the document is opened is a common attack mechanism because it enables the attacker to execute code on the victim's computer. Typically this code will exploit a vulnerability in the desktop application that opens the document (e.g. Adobe Reader or Adobe Flash Player or others). This was the case with the attack against RSA - the attack file was a Microsoft Office document that contained an embedded Flash object that contained ActionScript code that expolited a zero-day vulnerability in Adobe Flash player (CVE-2011-0609). If you download these files and open them under Windows, you should see them auto-execute (try Test Files 10 and 12, for example - remember: they are totally harmless).

Test File 10. Target string in an obfuscated, auto-executing JavaScript object embedded in a PDF file.

Test File 11. Target string in an obfuscated, auto-executing JavaScript object embedded in a PDF file compressed with Zip.

Test File 12. Target string in ActionScript code in an auto-executing Flash (SWF) file.

Test File 13. Target string in ActionScript code in an auto-executing Flash (SWF) file embedded in an Excel file.

Test File 14. Target string in ActionScript code in an auto-executing Flash (SWF) file embedded in an Excel file compressed with Zip.

Test File 15. Target string in ActionScript code in an auto-executing Flash (SWF) file embedded in a PowerPoint file.

Test File 16. Target string in ActionScript code in an auto-executing Flash (SWF) file embedded in a PDF file.

 

Group C. Polymorphic Test Files
These files are designed to illustrate the concept of polymorphism. The files are dynamically generated each time you click on them and are slightly different each time. So if you were to calculate, for example, an MD5 hash on one of these files, it would be different every time the file was downloaded. Polymorphism is often used in modern attacks because it defeats traditional signature based defenses.

Test File 17. Target string in a text object in a polymorphic Zip file.

Test File 18. Target string in a text object in a multi-level, polymorphic Zip file.

Test File 19. Target string in ActionScript in a Flash (SWF) file embedded in a polymorphic Zip file.

Test File 20. Target string contained in a recently compiled executable file.

Test File 21. Target string contained in a recently compiled executable file embedded in a polymorphic Zip file.

 

Group D. Test Files with VBA Content
These files contain Visual Basic for Applications (VBA) code embedded in Microsoft Office documents. VBA is an attacker's dream because it enables unrestricted file system and network operations. If the bad guy can get you to open a file like these with macros enabled, it's over. They don't need no stinkin' vulnerabilities or exploits - you're owned.

Test File 22. Target string contained in VBA embedded in a Powerpoint file.

Test File 23. Target string contained in VBA embedded in a Word file.

Test File 24. Target string contained in VBA embedded in an Excel file.

Test File 25. Target string contained in VBA embedded in a Powerpoint Show file.

 

Group W. Other Test Files

Test File 26 Target string contained in an executable file embedded in a PDF file.

Test File 27 Target string contained in an executable file embedded in a PDF file in a polymorphic Zip file.

 

Negative Control Files

These files are the same as the corresponding Test Files but do not contain the target string. Your network security system should not generate an alert for any of these files. You can download the negative target files manually by clicking on each of the Negative Control File links or download them all at once automatically by clicking on the link directly below.

Click Here to Download All Negative Control Files Automatically

 

  1. Negative Control File 1
  2. Negative Control File 2
  3. Negative Control File 3
  4. Negative Control File 4
  5. Negative Control File 5
  6. Negative Control File 6
  7. Negative Control File 7
  8. Negative Control File 8
  9. Negative Control File 9
  10. Negative Control File 10
  11. Negative Control File 11
  12. Negative Control File 12
  13. Negative Control File 13
  14. Negative Control File 14
  15. Negative Control File 15
  16. Negative Control File 16
  17. Negative Control File 17
  18. Negative Control File 18
  19. Negative Control File 19
  20. Negative Control File 20
  21. Negative Control File 21
  22. Negative Control File 22
  23. Negative Control File 23
  24. Negative Control File 24
  25. Negative Control File 25
  26. Negative Control File 26
  27. Negative Control File 27

 

Video Demonstration

Click here to see a video demonstration of a Fidelis XPS system taking the Content IQ Test (5 minutes).

 

We'd love to hear how your Content IQ test turned out. Email us at info@fidelissecurity.com with any comments or questions.