Introduction
To validate that an endpoint agent is functioning as intended, and to let users safely experience how the endpoint reacts to a “threat,” we have included several endpoint rules within the agent’s default ruleset.
Using these endpoint rules, you can validate that notification functionality, blocking, and termination rules via the command prompt. These validation rules are restricted to Windows only systems at this time and will be expanded to other systems in the future.
These validation rules are designed to only allow one ARO for each endpoint to be active at a time. While the endpoint will behave as expected (blocking, terminating), running an additional test command won’t generate a new ARO if an existing Service Validation Test ARO is open, or has been previously dismissed, for that endpoint.
Validation Tests
The table below summarizes the validation tests that can be performed. The following pages provide additional details for each test, including examples of the expected behavior and resulting ARO.
Validation | Command | Result |
Notification | cmd.exe /C echo “CovEICARNotify” | The expected string will be echoed to the console. An alert in Field Effect and an ARO in the portal will be generated. |
Block | cmd.exe /C echo “CovEICARBlock” | The command will be blocked, and the expected string will not be echoed to the console. An alert in Field Effect and an ARO in the portal will be generated. |
Block & Terminate | cmd.exe /C echo “CovEICARTerminate” | The command will be blocked, the source process will be terminated, and the expected string will not be echoed to the console. An alert in Field Effect and an ARO in the portal will be generated. |
Notification Validation Test
From PowerShell or the Command Prompt, execute the following command to generate a Field EffectField Effect Alert and ARO in the portal: cmd.exe /C echo “CovEICARNotify”
This command will echo the string “CovEICARNotify” back to the console, validating the “notify only” endpoint rule. The echoed string will be visible in the console.
The following ARO will be generated based on this action. Additional Endpoint Service Validation AROs will not be created for this endpoint while the ARO remains open.
Endpoint Blocking Validation Test
From PowerShell or the Command Prompt, execute the following command to generate a Field Effect Alert and ARO in the portal: cmd.exe /C echo “CovEICARBlock”
This command will be blocked from echoing the string “CovEICARBlock” back to the console (unlike the notification validation test).
This command will also generate the following local notification for the endpoint.
The following ARO will be generated based on this action. Additional Endpoint Service Validation AROs will not be created for this endpoint while the ARO remains open.
Field Effect Endpoint – Block and Terminate
From PowerShell or the Command Prompt, execute the following command to generate a Field Effect Alert and ARO in the portal:
cmd.exe /C echo “CovEICARTerminate”
This command will be blocked from echoing the string “CovEICARTerminate” back to the console (unlike the notification validation test) and terminate the source process.
This command will also generate the following local notification for the endpoint.
The following ARO will be generated based on this action. Additional Endpoint Service Validation AROs will not be created for this endpoint while the initial ARO remains open.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article