How can I run tests to see the different scan results on MetaDefender Core v4?

The following test cases explain how to obtain the possible scan results from MetaDefender Core v4.

  • No Threat Detected: Test this result by scanning any file you are certain is clean (e.g., a newly created text file)

  • Infected/Known:

    1. Download an EICAR test file from https://www.eicar.org/?page_id=3950

    2. Scan the file.

  • Suspicious: This result is usually caused by an engine's heuristic algorithm. Since each engine has its own unique heuristic algorithms, we do not have sample files for each of the engines

  • Blacklisted: Test this result by adding the file to be tested, to the blacklist. For instructions on how to add files to the blacklist, please refer to the MetaDefender Core Documentation

  • Whitelisted: Test this result by adding a file by its name or its mime-type to the Skip option and scanning it. For more instructions on how to whitelist files, please refer to the MetaDefender Core Documentation

  • Exceeded Archive Size:

    1. Configure "Max total size of extracted files" to a small value (i.e. 5 MB). This setting can be found on the MetaDefender Core Management Console under Policies>Workflow Rules>Select Workflow Rule>Archive Tab.

    2. Create an archive file with a total size greater than 5 MB (after extraction).

    3. Scan the file.

  • Exceeded Archive File Number:

    1. Configure "Max number of files extracted" with a small value (i.e. 10). This setting can be found on the MetaDefender Core Management Console under Policies>Workflow Rules>Select Workflow Rule>Archive Tab.

    2. Create an archive file which contains more than 10 files (after extraction).

    3. Scan the file.

  • Password encrypted document/archive: Scanning a password protected/encrypted document will produce this result. Currently, MetaDefender Core does not support decryption of encrypted files on the Management Console, only via REST API

  • Exceeded Archive Depth: Test this result by configuring a lower recursion level than the current archive depth settings (Policies>Workflow Rules>Select Workflow Rule>Archive Tab)

  • Failed to scan: Test this result by sending a file to scan which has no read permissions or is invalid. Alternatively, if no engine is in the MetaDefender Core installation and scan is enabled through the Security Rule configurations, this will be the final result

  • Mismatch:

    1. Test this result by enabling the "Detect File Type Mismatch" option from the "Policies", tab "Scan" under the section inside of the "Workflow Rule" you are using.

    2. Alternatively, this result can be tested by changing the original extension of a file to different extension (i.e. test.docx → test.pdf) and scanning the file.

    3. Note that the option "Detect File Type Mismatch" option only applies to workflows.

  • Potentially Vulnerable File: Clean files can be marked as vulnerable if the Vulnerability Engine identifies known application vulnerabilities which are then reported by severity level. For more information on the Vulnerability Engine, please refer here

This article pertains to MetaDefender Core v4
This article was last updated on 2019-07-12
MM