Endpoint Protection

HI ,

During one of the pentesting results Symantec wasnt able to detect a malware called injector.exe when it was packaged.

I understand that symantec detects the malware based on the filefingerprint and that when it was packaged the fingerprint changed and hence wasnt detected .....

but if above is the case ... whats the solution for this .

How can we stop malware and virus when they are packaged .

blocking the malware through filefinger print would be a solution but then how many malwares can be block in tht way .......

What was it packaged by? Metasploit? If so, Metasploit has a feature to bypass AV and it works almost every time against just about every AV vendor out there. Considering this happened during a pen-test, I'm not surprised. Any experienced pen-tester can run circles around anti-virus.

Now, you can submit the sample to Security Response but this file can easily be re-packaged by Metasploit to bypass AV again. Traditional AV defense is no match for this type of "malware"

I would suggest turning up the settings for Proactive Threat Protection (SONAR) by setting to aggressive.

Was this file downloaded? If so, you can also turn up the setting for Download Insight.

Yes, you would also need to look utilising System Lockdown and and Application and Device Control policy. Both of these are very good defenses against encrypted malware/APT types.

It was packaged by UPX (File compression and decompression utility).

Now to your suggestion :

1) Turning up SONAR And DOWNLOAD INSIGHT

Would mean more false positives isnt it which would be a nightmare. RIGHT now SONAR is at 5 .

2)SYSTEM LOCKDOWN : not ok in the environment as restricting to specific set of application wont suffice .

3)apps and device control : will only block this malware .What about others .... cant block each and every malware through apps and device control ....

1) Yes, false positives would increase, which means more time spent trying to figure out exclusions.

2) You run a checksum against each and every exe/dll from a clean system and those will automatically be allowed. Again, more time and resources are needed to properly manage this.

3) You can use an application control policy to block specific directories where malware is known to execute from. Yet, again, more time and resources needed.

However, these (or other defenses) is what needs to be done. Standard AV by itself no longer provides adequate protection.

If you still have the file, submit it to https://www.virustotal.com and see how many AV vendors detect it.

We too have had the issue where SEP did not detect anything suspicious, even though Sonar and Insight was enabled.  Our test was also a pen test and files were downloaded to a users workstation.  How this was eventually detected is that IPS was triggered as the malware was attempting to be spread to another workstation.  Following the web traffic to the infected computer led us to some SSL IP's that were acting as a C2.  Using these IP's we were able to detect some of the infected PC's but not all according to our pen test summary.  I believe the best way is system lockdown, however as mentioned above it is nearly impossible to maintain alone.  

As a suggestion I now monitor learned applications.  I enabled the notification and Symantec sends be the list.  This can be pretty brutal as well based on how many clients you have, and if a pen tester is smart (chances are they are) they will just drop a file in an unsuspected directory anyways.  I love the idea of Sonar and Insight, however it is very hard to maintain, set exclusions and keep things going in the name of security unless you are fully staffed to achieve that goal.

The days of just getting by with AV are long gone. Any client without a firewall, IPS, some type of application whitelisting, reputation checking, etc, etc. are pretty much dead in the water.

The problem I see is these are HUGE tasks to manage in a large environment. You need multiple resources and as it is most IT departments are understaffed and wear multiple hats. Not to mention trying to keep within a budget.

I know people hate to hear that and some get very upset when their AV doesn't catch something but today's malware is so advanced it does a little victory dance around plain 'ol AV multiple times. My faith in only AV was lost about 4 years ago.

Other protection technologies need to be implemented and SEP offers some good ones but resources and time are tight. I'm glad I don't wear an executive hat because my head would be spinning with the struggles of making it work.