Outdated Malware Definitions

Description

Looks for Symantec AV systems where we see Symantec AV events, but don't see a malware definition update in the last few days.


Use Case

Security Monitoring

Category

Operations, Compliance, Endpoint Compromise

Security Impact

This indicates that a host is not updating its anti-virus definitions, which can be an operational concern (e.g., anti-virus isn't working), or it could be an indication that updates have been shut off by malware itself. Regardless, it is something to fix.

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

Data Sources

Anti-Virus or Anti-Malware

   How to Implement

This particular search usually finds most of its success with just Symantec AV. Many Anti-Virus products are found to provide insufficient logging to be able to see when the definitions are updated (often, just when there is malware found). If you are using Symantec AV and followed the data onboarding guide, this should work automatically. If you did not follow the data onboarding guide, make sure that your sourcetypes and indexes match. Always hard-code your sourcetypes and indexes rather than doing index=* in searches.

   Known False Positives

No known false positives at this time.

   How To Respond

When this fires, look on the host to see why the Anti-Virus isn't updating. If you don't see an obvious reason (e.g., specific and logical error), then it may be worth investigating that host to see if there are any other suspicious events that have occurred to rule out an infection.

   Help

Outdated Malware Definitions Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

SPL for Outdated Malware Definitions

Demo Data

First we bring in our basic demo dataset, Symantec Endpoint Operational Logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Next we use a relatively complicated stats command to track the time of the last update, and the time of the last error.
Next we filter for the events where the time of the last update was more than three days ago, or where the last error was more recent than the last update.
Finally, we format the timestamps in a human readable way.

Live Data

First we bring in our basic dataset, Symantec Endpoint Operational Logs.
Next we use a relatively complicated stats command to track the time of the last update, and the time of the last error.
Next we filter for the events where the time of the last update was more than three days ago, or where the last error was more recent than the last update.
Finally, we format the timestamps in a human readable way.

Screenshot of Demo Data