Educause Security Discussion mailing list archives
Re: viruses that have been cleaned or quarantined
From: "Garmon, Joel" <garmonjs () WFU EDU>
Date: Thu, 22 Jun 2017 08:13:16 -0400
Very good thread. There is another nuance that I consider in reviewing AV alerts -- was it caught in a real time scan (meaning the first time the file was downloaded or used and stopped before executing) or in a periodic scan (daily or weekly scan which means the virus has been on the system for a while and already executed) We also have special groups for departments that handle PII and have alerts set up so we know when any virus hits these groups. We review every alert associated with PII. This is a team effort between security, service desk, and desktop support.. Thank you, Joel Garmon Director Information Security Wake Forest University 336-758-2972 http://infosec.wfu.edu/ On Wed, Jun 21, 2017 at 4:52 PM, Kevin Wilcox <wilcoxkm () appstate edu> wrote:
On 21 June 2017 at 15:50, Chelsie Power <cpower () csusm edu> wrote:If your virus scanner has cleaned or quarantined a virus/malware/etc., do you do any additional scanning or followup on the endpoint? I know virus definitions, though up to date, may potentially just be catching a virus that have lived on the machine for several months and had only beenrecentlyidentified. Do you trust that "cleaned" means it took care of any damage that had been done, if any?Chelsie - I see no difference between AV and IDS. The idea that AV can "clean" a system is one that I'd like to see eradicated. That's not to say that it's impossible - just that it takes known-good cryptographic hash values for every file on the system, a trusted off-system scanning agent and good alerting when something changes. That's before having the same thing in place for registry hives, the ability to detect/audit ADSs, etc. If AV alerts on anything, and I can't otherwise determine it's a false positive, it's a re-image of the system. Again, AV alerts are treated the same as IDS alerts. There are some exceptions where it's profile removal/recreation but generally speaking that's insufficient for most of our environment. One massive hole to that approach - we backup data, re-image and restore. If something is hiding in one of the backed-up files, it comes back on the newly-built system. It's certainly not perfect and needs some work but I've done too many forensic examinations of systems to trust that AV can do anything beyond alerting on 25% of the stuff that's out there. kmw
Current thread:
- viruses that have been cleaned or quarantined Chelsie Power (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)
- Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
- Re: viruses that have been cleaned or quarantined Belford, Jason C. (jcb3zr) (Jun 21)
- Re: viruses that have been cleaned or quarantined Garmon, Joel (Jun 22)
- Re: viruses that have been cleaned or quarantined Frank Barton (Jun 22)
- Re: viruses that have been cleaned or quarantined Tim Doty (Jun 22)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 22)
- Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)