Testing Panda Cloud Antivirus: Advanced Logging
If you’ve read the introduction to Panda Cloud Antivirus and have come this far, you’re probably interested in “seeing” how this new approach to protection works, not just reading about it. We have enabled certain functionalities which you, as a tester, can use to “see” what Panda Cloud Antivirus is doing behind the scenes.
Turning Advanced Logging On/Off
One of the most important things to take into consideration while testing Panda Cloud Antivirus, especially against malware samples and its on-access scanner, is that the traditional on-access scanner has been replaced by 3 new types of interception techniques: OnAccess, OnPrefetch and OnBackground. As each of these operates at different priorities and risk situations, their final actions are not always immediately visible as you would expect from a traditional on-access scan. For example if you copy a directory full of malware samples from one drive to another (or from one directory to another) you will not experience an immediate block of the system and detection and disinfection as the copy operation occurs, as in this scenario an OnPrefetch Scan would be scanning these files asynchronously and using idle CPU times.
In order to give visibility of what is happening exactly behind the scenes, we have created 2 registry entries which can be tweaked to turn advanced logging on and off. Simply download and run the registry files below and run them.Â Make sure the directory C:Logs_CloudAV exists or replace with your choice of path in the REG file. We suggest you create a specific directory for it as multiple log files will be created, one for every time the service is started. A reboot or service restart will be required for Panda Cloud Antivirus to start logging.
Understanding the Log
The log file is basically a CSV file with the following fields:
TimeStamp:Â Time stamp of the event
JobID:Â Internal engine ID of the event
Profile:Â ID of the configuration profile with which the eventÂ has been executed. Different types of events use differentÂ profiles in order to apply a specific configuration.
Date:Â Complete date and seconds of the event.
JobType:Â Type of job. Can be AnalysisRequest, AnalysisResult or ActionResult
TaskType:Â Type of scan that generated the event: OnDemand, OnBackground,Â OnPrefetch, OnAccess
File:Â Full path to the file in question
Result:Â Result of the task. In the case of an AnalysisResult event willÂ indicate the malware classification. In the case of ActionResultÂ indicates the action taken.
In the following sections we’ll take a more in-depth look into some sample detections and how they can be interpreted by looking at the log file.
On-Demand Scan of a Folder
In this scenario we’ll launch an on-demand scan of a folder which has a combination of clean files with infected files. This example generates an OnDemand AnalysisRequest over all the elements inside the directory. An enumeration of said directory is performed and all objects found will be scanned with the OnDemand task. Of those found to be malware Cloud Antivirus will act upon (delete or disinfect).
A typical scenario while launching on-demand scans on a file or folder is the loss of Internet connectivity during the scan itself or simply no connectivity whatsoever. As Panda Cloud Antivirus is basing most of its detection technology on the cloud, it can be seen by the log entries how each file scan is throwing an error back, indicating loss of connectivity. Most detections while running an on-demand scan without Internet connectivity will be due to the local cache copy of Collective Intelligence and heuristics included in the agent.
On-Demand Scan of a Suspicious File
In this scenario we’ll launch an on-demand scan on a specific file. We’ll right-click the file suspect.dat which is classified as suspicious. In case of receiving a positive AnalysisResult the engine will throw an Action on the file.
Execution of a Malware PE File
In this test scenario we’ll execute a malicious PE file (files with extension EXE, COM, etc.). In this example we’ll double-click on the file EICAR.EXE which is considered malware and whose detection does not require connectivity to the cloud. As the execution of a file is an action which puts the security of the machine in danger, as soon as it is intercepted it is blocked and an OnAccess AnalysisRequest is launched. Depending on the result of the action access to the file is allowed or denied and a subsequent task is generated to neutralize the file.
In the next example we’ll repeat a similar scenario but whose detection of this particular malware file (MyFormatter.exe) is delivered from-the-cloud. In the following example we can see the reaction of the product against the execution of MyFormatter.exe.
Copy of a PE File
In this scenario we’ll copy a malicious PE file Eicar.exe to EicarCopy.exe. As a copy operation is not a high imminent risk to the PC the copy operation is permitted while an OnPrefetch AnalysisRequest is launched, anticipating its possible execution later on. If it is detected as malware, an Action will be requested on the file.
It is worth noting an error that may show up on the log (shown below) as a JobType “Cloud Error” which means that the communication between the Panda Cloud Antivirus agent and the server has failed, in this particular example during the OnPrefetch scan of the PE file GoogleDesktopResources_es.dll as the network connection was disabled on this machine.
Opening of a Non-PE File
This scenario consists of opening a non-PE file, in our case a Word document (mydoc.doc) which is not malicious. Opening a file, as executing a PE file, is considered a high risk action for the computer. Therefore the action is intercepted and blocked while an OnAccess AnalysisRequest is launched on the file.
Â Copy of a Non-PE File
In this example we’ll copy a malicious non-PE file Achtung.doc to AchtungCopy.doc. As a copy operation is not a high imminent risk to the PC the copy operation is permitted and the default action is to launch an OnPrefetch AnalysisRequest on the resulting file. However in this case an OnAccess AnalysisRequest is launched on the original file as the Operating System needs to open a non-PE file in order to copy it to a new file. As we’ve seen before, the opening operation is considered a high risk operation and therefore an OnAccess AnalysisRequest is also launched on the file Achtung.doc. As it is detected as malicious, the copy operation is blocked.