Re: A Real-Time malware antivirus console

[Curt Wilson <curtw () SIU EDU>]

I've seen numerous examples in the last few years where malware was
apparently caught/quarantined/deleted but that only told part of the
story; systems were infected and only some portion of the malware, such
as a dropper or one piece in the chain was detected but the malware that
was downloaded by the dropper was packed and engineered to bypass most
common antivirus. If the dropper got caught before it downloaded
anything, then things might be OK, but I've analyzed numerous systems
where the detect is just the tip of the iceberg. I've seen other
scenarios where a dropper it not detected at first, is executed and then
obtains other malware, including rootkits that get installed. At a later
time, signature (or other) updates catch the dropper, but can't see the
rootkit or what the rootkit is hiding. In such a scenario, the rabbit
hole just keeps going deeper.

With modern criminal malware that's specifically engineered to bypass AV
detection, times have changed and we must adapt.

I've gotten into the philosophy of treating anti-virus as a detection
and notification system that a box needs a more in-depth analysis. In a
large organization, this rapidly scales into a huge resource issue though.


Robert Clifford wrote:

<snip>

> As Michael said below, you should only want to see alerts where the
> software was unable to act.  When it catches malware and it's
> quarantined or deleted, etc., the software is doing it's job.
>
> Hope this helps.
>
>
>
>
>
>
> Thanks,
>
> Rob
>
> =====================
> Robert Clifford
> Information Security/Risk Management/Business Continuity
> Columbus State Community College
> 614-287-3686
> Nextel: 136*16475*123
> rclifford2 () cscc edu <mailto:rclifford2 () cscc edu>
>
>
>
> > > > "Stanclift, Michael" <michael.stanclift () ROCKHURST EDU> 6/17/2009
> 11:39 AM >>>
> I currently have EPO/McAfee configured to send me an email alert when a
> virus is detected on a system but it could not be removed. Then I get a
> daily digest in the morning of yesterday's activity including things
> that were removed. Not "real time" like you said, but real enough for me
> given the limited resources we have. If I wanted, I could change the
> email alerts to include all virus threats detected, but I'd probably be
> flooding my inbox with a lot of things that are not really worth
> tracking down, at least for me.
>
> Michael Stanclift
> Network Analyst
> Rockhurst University
>
> http://help.rockhurst.edu
> (816) 501-4231
>
> Think before you print!
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect ocean
> Sent: Wednesday, June 17, 2009 9:53 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] A Real-Time malware antivirus console
>
> Hi there.
>
> We are reviewing our entire organization antivirus solution.
> Aside of effectiveness in malware detection,I am trying to propose a
> solution that gives an real time overall malware threat monitoring
> tool.I'm looking something like real time malware monitor or console
> indicating real time trend of malware detection in my network  which
> let me act right upon a malware breakup (incident response team) and
> not having to react after those incidents with a sad report of events
> hours ago.
> Are you aware of any corporate solution that offer this feature?
> McAfee and EPO can do that?
>
> Thank you


--
Curt Wilson
SIUC IT Security Officer & Security Engineer