Re: Helpdesk malware "first responder" tools, techniques, processes

["Jim A. Bole" <jbole () STEVENSON EDU>]

Thanks Sean and Rob.

Sean, I'm curious about your caveat around Malwarebytes. And I wonder if it's the same caveat around some of the others 
like Sophos, Emsisoft, Trend Micro, etc, where you use a free trial that's targeted for home use.

It's always been a bit squishy for me so I've tended to shy away from any formal documentation around those types of 
tools.

Years ago I played with McAfee's Stinger but wasn't impressed.

We're using Cisco AMP on our endpoints. I've just started here so I don't have much experience with it.

Jim



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hagan, Sean
Sent: Monday, August 19, 2019 2:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Helpdesk malware "first responder" tools, techniques, processes

This is from an older discussion (June of 2017), but the tools are perhaps still relevant...

Our process for unconfirmed malware such as PUP/Adware/or simply unknown (performed by the Helpdesk, either on their 
own or with a ticket from me/IT security based on anomalous detections):


1.       Junkware Removal Tool (by Malwarebytes)

2.       ADW Cleaner (requires reboot after completion)

3.       SophosClean

4.       Malwarebytes (with a caveat about commercial use)

If that doesn't seem to resolve it, we consider running (but only if we really don't want to re-image for some reason):

*         Emsisoft Emergency Kit

*         Trend Micro's Housecall (although I'm probably going to stop using this as it isn't detecting much)

We also looked into buying a few one-off licenses for HitManPro (which has become Sophos' InterceptX product) - we 
might do this if they're still available - it seemed like a pretty robust tool.  If we don't have high confidence that 
the issue is resolved, we're happy to re-image the machine in almost all cases.  If we have high confidence of malware 
(not just PUP or Adware), we go for a re-image as well.

Not specifically a cleanup tool, but one that can be useful for investigation and attribution (post-incident response) 
is Nirsoft's BrowserHistoryView.  It can help to correlate malware/adware/PUP installation with a specific website in 
concert with Event Viewer or other logs.




Rob - I heard from a trusted source that Malwarebytes actually did a better job at discovering and stopping a serious 
outbreak of ransomware over a well-known endpoint solution.  While I would have shared your concerns before, I'm at 
least a little more inclined to give it credit now.




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Rob Milman
Sent: Monday, August 19, 2019 8:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Helpdesk malware "first responder" tools, techniques, processes

Our helpdesk has been leaning on Malwarebytes to "solve" their problems for a number of years. I however, have no 
confidence in the product at all. I think it's great for finding PUP, but those aren't what I worry about. Most of time 
when we are dealing with a real infection (ransomeware, trjoan, etc.) I use a Sophos bootable USB on it and do a deep 
scan of the entire drive. Very often, I find trojans that Malwarebytes completely missed. The helpdesk is slow to come 
around, but they are asking us now what tool they should be using.

Thanks,

Rob

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jim A. Bole
Sent: Monday, August 19, 2019 7:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Helpdesk malware "first responder" tools, techniques, processes

Bumping this to see if anyone has any suggestions, especially around standalone scanning tools.


Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



From: Jim A. Bole
Sent: Monday, August 12, 2019 2:28 PM
To: 'SECURITY () LISTSERV EDUCAUSE EDU' <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Helpdesk malware "first responder" tools, techniques, processes

I'm interested what others have done to help their helpdesk "first responders" handle potentially infected endpoints:


  1.  Any list of questions or script that a helpdesk person can use with the end user to help determine what may have 
occurred ("What link did you you click on", etc). Below is a list I've started.
  2.  Any standalone malware scanner or other tools? Everyone loves Malwarebytes, but I think licensing is an issue.
  3.  Any other initial steps that a "first responder" should do (or not do)?

My initial list of questions to triage possible malware issues:


                                                               i.      Is the computer currently running?

                                                             ii.      What network is the computer connected to?

1.       If desktop that only has Ethernet wired connection - have user disconnect.

2.       If using WiFi connection

a.       See if user can identify the network

b.       Try to have user disable WiFi

                                                           iii.      What windows, pop-ups or messages can be seen?

1.       Get as many details as possible.

2.       If user has mobile device, have them take a picture of the screen.

                                                           iv.      Are there any other unusual behaviors on the 
computer?

1.       Files not accessible or filenames being changed/encrypted

2.       Mouse or keyboard not working

3.       Sounds

                                                             v.      What was the user doing on the computer 
immediately prior to the detection?

1.       Using email (ask if they recall any subject lines, recipients, name of attachments)

2.       Browsing websites (ask if they recall what sites)

3.       Opening files from a server (what was the name of the server or drive letter)

4.       Installing a browser extension or toolbar:

a.       What browser are they using (Chrome, Edge, Safari, Firefox, etc)?

                                                           vi.      What was the name or type of extension or toolbar?

                                                          vii.      Did the user take any actions after the detection?

1.       Entering information to any box/window such as username and password, cell number, etc.

2.       Restarting the computer.

3.       Going to any other websites to search for information about the behavior.

4.       Attempting to install any software, such as a virus cleaner.

Thanks in advance,

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C19caefaa9ee046efa7dc08d724d65790%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637018375331957631&sdata=4YrY%2Fyo5TufGmTNaov9TCOsnVbcyLG23wC464Gzns3Q%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7C19caefaa9ee046efa7dc08d724d65790%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637018375331957631&sdata=4YrY%2Fyo5TufGmTNaov9TCOsnVbcyLG23wC464Gzns3Q%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community