In enterprises you find yourself very often in a layered approach of defense mechanisms and also very often a more vendor strategy due to potential advantage of identifying a Threat that the other vendor didn't catch so far.
(In my opinion - When you have a closer look you will see that for enterprises you have actually not that many vendors that can deal with your environment and in the end, the remaining partners that stay ahead to be potential candidate for protecting your environment are doing quite similar and in terms of malware detection they are even similar as there is always one who is detecting something sooner and this keeps the balance when seeing over the years.)
At one hand side there are Threats that will just damage your systems that will affect your availability to the market. The other category is more oriented in information and data theft, where the purpose could be financial.
In both situations the risk to your data and the system is given either to conflict with your confidentiality, integrity or availability that can harm your business.
So what would be a strategy in protecting your organisation from such Threats? As the 100% solution is never given we can try to at least determine approaches and proposals to have a good coverage for most of the cases.
In the following I would like to focus mainly on the endpoint.
Identification of Layers
When you know what the layers in your environment are and what you can get out of these you have already a good valuable source of information that will help you identifying potential harmful source systems that can impact your corporate. The reason why I focus on the internal systems is, because that system at some point is getting infected isn’t the surprise today, but it will become a problem when an infected system is appear in your network and either spread or capture data and information and submit it to an uncontrolled area outside your boarder.
Wherefrom you can get some information about suspicious activity in your environment, when we assume that an infected endpoint is in your corporate network.
Just to give you an example what these could be:
- Proxy - Check logs for indications of accessing malicious sites.
Often web proxy solutions will provide categories that you may have defined to block access to, but only because a system in your environment can't access it, it doesn't automatically means that you have solved the problem
- Event logs - Check these logs for indications like suspicious login attempts.
- Check N-IDS or Firewall Logs for abnormality
- Logs of your mail system in terms of suspicious mail activity
- User perception
- Security Solutions like Antivirus (just mentioned it as peripheral point as we assume that there is no definition available)
- ... and many more that comes to mind
Based on these available logs you can figure out systems infected and the systems that potentially are infected.
Examples to demonstrate a use case:
- A system appears as clean in the antimalware management console, but is appearing in the proxy logs to access malicious websites.
- A system is connecting a resource system on specific ports that are known to be vulnerable and will get blocked by a Network IPS.
- A system appears to perform 1000 logon attempts within 1 minute to an internal HR website.
For more information about detecting malware activity in your network feel free to contact Symantec as there are solutions that may simplify the way of how to monitor your internal network to stay ahead of possible malware activity.
Please feel free to comment if there are interests about the simplified way to detect malware activity in your network and your thoughts.
Now I would like to give you an impression how to hunt down malware on endpoints that you may have discovered either way as a potential infected.
Simplification of Threat Types
In this section I will simplify the types of Threats existing, independent from the usual way of the risk or damage they can cause:
- Low-Medium Level Viruses, Spyware and Risks
You will notice these types as single occurrence on SEPM in
|
Viruses
|
Spyware and Risks
|
|
(Cleaned/Blocked), (Deleted) and (Quarantined)
|
(Cleaned/Blocked), (Deleted) and (Quarantined)
|
if there is a bad reputation, signature or behavioral aspect known.
Furthermore an appearance can be given in the Still infected section if the Threat is detected on a protected drive like a CD. In that case the Thread is being detected and blocked but is being displayed as still infected as it wasn’t removed/cleaned or quarantined due to the drive protection
In corporates you very often see these types in user profiles or temporary folders that will be accessed by the user or via user interaction through an application like a browser.
Typical Threats for this category is Trojan.Zbot, Trojan.FakeAV or JS.Runfore that gets on the client by f.e drive by download.
- High-Critical Level Viruses, Spyware and Risks
You will notice these types occurring on SEPM in
|
Viruses
|
Spyware and Risks
|
|
(Suspicious), (Newly Infected) and (Still Infected)
|
(Suspicious), (Newly Infected) and (Still Infected)
|
if there is a bad reputation, signature or behavioral aspect known, or more often occurring in
|
Viruses
|
Spyware and Risks
|
|
(Cleaned/Blocked), (Deleted) and (Quarantined)
|
(Cleaned/Blocked), (Deleted) and (Quarantined)
|
In corporates you often see these types on different paths of computers like system root, other folders by users or flash drives, depending of the type of Threat and privileges that the Threat comes in through.
Furthermore an appearance can be given in the Still infected section if the Threat is detected on a protected drive like a CD. In that case the Thread is being detected and blocked but is being displayed as still infected as it wasn’t removed/cleaned or quarantined due to the drive protection
Typical Threats for this category are W32.Downadup.B or W32.Sality.AE. These types mainly get spread when users have administrative privileges on systems and systems aren’t patched etc.
- Other Viruses, Spyware and Risks
These types of Threats are for example Rootkits, Master Boot Record Viruses or other complex malware frameworks.
These types can be everywhere on a system and sometimes they can be easily detected and repaired/removed, others require a complex removal.
Mitigation, Remediation and Removal
After we have simplified the existing Threats and also the aspect on how and where to find information regarding systems that might be infected, we have 2 important steps accomplished, as we can compare the possible infected systems with the actual system at risk.
The SEPM will show you an infected system that is on the Still Infected list in the Computer Status Logs. Furthermore in previous logs of the Risk or Sonar Log you may find other indications of infected files.
As a result you can flag the systems
|
Viruses
|
Spyware and Risks
|
|
Clean* System
|
Suspicious appearance in external logs: NO
Appearance in SEP log files: NO
|
|
Suspicious System
|
Suspicious appearance in external logs: YES
Appearance in SEP log files: NO
|
|
Infected System
|
Suspicious appearance in external logs: NO
Appearance in SEP log files: YES
|
|
Infected System
|
Suspicious appearance in external logs: YES
Appearance in SEP log files: YES
|
*) At the moment there is no indication that the system is infected, but it doesn’t mean automatically that the system is clean.
For the mitigation and removal strategy we can now apply following scheme
|
|
Low-Medium Level
|
High-Critical Level
|
Other
|
|
Clean System
|
|
|
|
|
Suspicious System
|
- Check and follow best practice for removal like update definitions and fullscan
- Analysis
|
- Check and follow best practice for removal like update definitions and fullscan
- Analysis
|
- Check and follow best practice for removal like update definitions and fullscan
- Analysis
|
|
Infected System
|
- Check and follow best practice for removal like update definitions and fullscan
|
- Check and follow best practice for removal like removal tools
|
- Check and follow best practice for removal like reinstall system
|
Regarding the scheme, I think the overall approach is clear to everyone and can be found here:
But I want to spend a few more words in the next section on the Analysis as this is the most interesting point in detecting Threats not included in the Virus definitions yet.
Analyzing systems that show suspicious activity
The analysis requires a bit of understanding in terms of the operating systems and the applications running on it.
As a prerequisite you should have enabled for your systems the application learning, which will help you to understand your environment better and in addition will help you to sort out potential risks on clients.
(I also want to point out the following idea that could be helpful from the product itself https://www-secure.symantec.com/connect/ideas/application-monitoring-and-sort-out-good-and-unknownpossible-threats)
When having application learning in place you actually see filling your database in dbo.SEM_APPLICATION, what will help you discovering possible threats like follows.
Based on this table you can also investigate on suspicious files active in your environment, which you can relate to threats that you may want to submit for investigation or even want to block.
You will also notice that a lot of these temporary files that you have been seeing once will not appear again, what is the actual purpose of these temporary folders, but also malware is taking advantage of these folders.
But in any case these files shouldn’t be allowed to use your network connection, what might bring us to the point of firewall restrictions.
(https://www-secure.symantec.com/connect/ideas/wildcard-firewall-policy)
This I wanted to share as a generic approach for your environment independent from single incidents you will correlate to a machine.
When you have a system on your suspicious list you could check on applications running on the system via search for applications.
Once you searched for a hostname you could see the list or particular files that are running or have been executed on the system.
Now it comes to the point where you need to check for legitimate applications and some that are not. Probably based on exclusion criteria you could filter out suspicious ones in the temporary folders of the users or system.
Once you found a suspicious one you should try to get the file for submission in accordance to the regular submission process.
Independent you can see in the Detail View of the file one what clients the same type is active what will give you a clear picture on how much your environment would be affected.
But what to do when you have something that is for sure not related to your business and looks like malware, that maybe shows a negative rating at various online virus scanner or even was mentioned already by Symantec to be a Threat and will be included in the next pattern.
Mitigation and Solution
Based on the information you have about the file you could apply an Application Control Policy to block executing this file
Therefore create an Application Rule and apply it to the executable, which can be done based on the filename.
Be aware that a name in most of the cases is variously choosen or in case of generic names that can be also called like a part of the operating system. So it probably would make sense to go for the file fingerprint, what is more specific than a name.
Once the rule is applied the application is getting blocked in case it gets started again. For already running applications this would require an restart of the application what could be done by a reboot, what will block the application from that time on.
In addition to prevent immediately, spreading the threat or submitting data to a command and control server you can apply a firewall configuration that will block the usage of any network interface.
Make sure that the policy you have created to block malware activity is applied to all your systems.