Re: A Real-Time malware antivirus console

[Gary Flynn <flynngn () JMU EDU>]

reflect ocean wrote:
> Hi there.
>
> We are reviewing our entire organization antivirus solution.
> Aside of effectiveness in malware detection,I am trying to propose a
> solution that gives an real time overall malware threat monitoring
> tool.I'm looking something like real time malware monitor or console
> indicating real time trend of malware detection in my network  which
> let me act right upon a malware breakup (incident response team) and
> not having to react after those incidents with a sad report of events
> hours ago.
> Are you aware of any corporate solution that offer this feature?
> McAfee and EPO can do that?

Our Symantec console allows us to view the log rollups from all
the managed clients. We view it at least daily. The same software
is sending us email when it detects malware on select systems. It
can probably do more but we haven't looked into it enough to know
for sure.

In general, we view the Symantec report as an indication that
somebody was exposed to something bad. We do not generally believe
the reports at face value. The nature of the reported infection,
the location of the reported file(s), whether the user was using
an administrator or regular user account, the role of the user,
detection timing (real-time, scan, post liveupdate), and external
data (e.g. SMS reports of file creation in the Windows directory,
network log files) determine the course of response.

Ideally, some day we'll feed the AV logs, system event logs,
file integrity checker (e.g. tripwire, HIPS), and other
data into our SIM and a lot of this will be more automated and
real time.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature