High Number of Hosts Not Updating Malware Signatures

Description

Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, Compliance

Category

Operations, GDPR

Alert Volume

Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should be evaluated to determine why they are not updating their malware signatures.

SPL Difficulty

Advanced

Journey

Stage 2

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Disabling Security Tools

Disable or Modify Tools

MITRE Threat Groups

BRONZE BUTLER
FIN6
Gamaredon Group
Gorgon Group
Kimsuky
Lazarus Group
Night Dragon
Putter Panda
Rocke
Turla
Wizard Spider

Data Sources

Anti-Virus or Anti-Malware

   GDPR Relevance

Problem

Similar to Detection of Uncleaned Malware on Endpoint, malware may persist if somehow, an endpoint protection solution is not updating its malware signatures. If there are a high number of hosts not updating, then this could indicate a sign of more widespread infection or other compromised state that is resulting in malware signatures not updating.

Impact

Uncleaned malware puts digital systems at risk. For any environments/systems that are involved in processing personal data, this situation can be critical, and especially so in a GDPR context. Article 32 of the GDPR requires that organizations regularly test, assess and evaluate effectiveness of implemented technical and organizational security controls. In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82).

Resolution Path:

Removing malware infections that antivirus and other legacy endpoint protection software cannot remove (whether due to file permissions or other configurations that prevents easy quarantine or cleaning) can be considered in many cases appropriate, and helps to demonstrate compliance.

   Screenshots