Take the Content-Type IQ Test!

There are many situations in which a security analyst, incident responder or forensic investigator may be called upon to find certain types of information (e.g. certain types of files) that are flowing over the network, such as executable files, for example. In other cases he or she may need to find compound content types with a certain hierarchical structure, such as "Flash files embedded in Microsoft Office files" or "executable files contained in compressed archives".

A network security specialist needs to be able to identify, capture and analyze files of the target type as they are being transferred over the network, over any port or protocol, even if:

 

Many network security systems, like firewalls, "next-generation firewalls", intrusion prevention systems and network forensics systems, claim to offer visibility (and control) over the type of content that's flowing over the network. The Content-Type IQ Test is an easy test you can run yourself that will help you judge how "content-type aware" your network security system really is.

Each of the test files listed below contains a Microsoft executable file. It's a perfectly safe little Windows .NET application that does absolutely nothing other than displaying a greeting message.

Note: Although the test files below are not polymorphic, the idea here is that, in the wild, they would be embedded in a polymorphic delivery vehicle. So the objective of the test is to gauge the network security system's ability to find network sessions that contain executable files, no matter how they are "packaged" or embedded. Finding the test files by "hashing" them and/or creating a static signature for each file doesn't count! In the future we may add a polymorphic file to the set of test files...

To test your network security system's Content-Type IQ™:

 

Test Files

Set up your network security system, clear your browser's cache, and then click on each of the links below to download the test files.

  1. Test File 1. Windows executable file with the standard file extension. This is the "control file".
  2. Test File 2. Windows executable file renamed with ".jpg" file extension
  3. Test File 3. Renamed Windows program file contained in a Zip file
  4. Test File 4. Windows program file attached to a PDF file
  5. Test File 5. File with complex content structure