Re: viruses that have been cleaned or quarantined

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

On 21 June 2017 at 15:50, Chelsie Power <cpower () csusm edu> wrote:

> If your virus scanner has cleaned or quarantined a virus/malware/etc., do
> you do any additional scanning or followup on the endpoint? I know virus
> definitions, though up to date, may potentially just be catching a virus
> that have lived on the machine for several months and had only been recently
> identified. Do you trust that "cleaned" means it took care of any damage
> that had been done, if any?

Chelsie -

I see no difference between AV and IDS. The idea that AV can "clean" a
system is one that I'd like to see eradicated.

That's not to say that it's impossible - just that it takes known-good
cryptographic hash values for every file on the system, a trusted
off-system scanning agent and good alerting when something changes.
That's before having the same thing in place for registry hives, the
ability to detect/audit ADSs, etc.

If AV alerts on anything, and I can't otherwise determine it's a false
positive, it's a re-image of the system. Again, AV alerts are treated
the same as IDS alerts. There are some exceptions where it's profile
removal/recreation but generally speaking that's insufficient for most
of our environment.

One massive hole to that approach - we backup data, re-image and
restore. If something is hiding in one of the backed-up files, it
comes back on the newly-built system.

It's certainly not perfect and needs some work but I've done too many
forensic examinations of systems to trust that AV can do anything
beyond alerting on 25% of the stuff that's out there.

kmw