Educause Security Discussion mailing list archives
Re: A Real-Time malware antivirus console
From: Curt Wilson <curtw () SIU EDU>
Date: Wed, 17 Jun 2009 16:20:54 -0500
I've seen numerous examples in the last few years where malware was apparently caught/quarantined/deleted but that only told part of the story; systems were infected and only some portion of the malware, such as a dropper or one piece in the chain was detected but the malware that was downloaded by the dropper was packed and engineered to bypass most common antivirus. If the dropper got caught before it downloaded anything, then things might be OK, but I've analyzed numerous systems where the detect is just the tip of the iceberg. I've seen other scenarios where a dropper it not detected at first, is executed and then obtains other malware, including rootkits that get installed. At a later time, signature (or other) updates catch the dropper, but can't see the rootkit or what the rootkit is hiding. In such a scenario, the rabbit hole just keeps going deeper. With modern criminal malware that's specifically engineered to bypass AV detection, times have changed and we must adapt. I've gotten into the philosophy of treating anti-virus as a detection and notification system that a box needs a more in-depth analysis. In a large organization, this rapidly scales into a huge resource issue though. Robert Clifford wrote: <snip>
As Michael said below, you should only want to see alerts where the software was unable to act. When it catches malware and it's quarantined or deleted, etc., the software is doing it's job. Hope this helps. Thanks, Rob ===================== Robert Clifford Information Security/Risk Management/Business Continuity Columbus State Community College 614-287-3686 Nextel: 136*16475*123 rclifford2 () cscc edu <mailto:rclifford2 () cscc edu>"Stanclift, Michael" <michael.stanclift () ROCKHURST EDU> 6/17/200911:39 AM >>> I currently have EPO/McAfee configured to send me an email alert when a virus is detected on a system but it could not be removed. Then I get a daily digest in the morning of yesterday's activity including things that were removed. Not "real time" like you said, but real enough for me given the limited resources we have. If I wanted, I could change the email alerts to include all virus threats detected, but I'd probably be flooding my inbox with a lot of things that are not really worth tracking down, at least for me. Michael Stanclift Network Analyst Rockhurst University http://help.rockhurst.edu (816) 501-4231 Think before you print! -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect ocean Sent: Wednesday, June 17, 2009 9:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] A Real-Time malware antivirus console Hi there. We are reviewing our entire organization antivirus solution. Aside of effectiveness in malware detection,I am trying to propose a solution that gives an real time overall malware threat monitoring tool.I'm looking something like real time malware monitor or console indicating real time trend of malware detection in my network which let me act right upon a malware breakup (incident response team) and not having to react after those incidents with a sad report of events hours ago. Are you aware of any corporate solution that offer this feature? McAfee and EPO can do that? Thank you
-- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- A Real-Time malware antivirus console reflect ocean (Jun 17)
- <Possible follow-ups>
- Re: A Real-Time malware antivirus console Stanclift, Michael (Jun 17)
- Re: A Real-Time malware antivirus console Robert Clifford (Jun 17)
- Re: A Real-Time malware antivirus console Basgen, Brian (Jun 17)
- Re: A Real-Time malware antivirus console Curt Wilson (Jun 17)
- Re: A Real-Time malware antivirus console Valdis Kletnieks (Jun 17)
- Re: A Real-Time malware antivirus console Curt Wilson (Jun 17)
- Re: A Real-Time malware antivirus console Eric Case (Jun 17)
- Re: A Real-Time malware antivirus console reflect ocean (Jun 17)
- Re: A Real-Time malware antivirus console Gary Flynn (Jun 18)
- Re: A Real-Time malware antivirus console King, Ronald A. (Jun 18)
- Re: A Real-Time malware antivirus console Stanclift, Michael (Jun 18)