Navigation :

Endpoint Uncleaned Malware Detection

Description

Detect a system with a malware detection that was not properly cleaned, as they carry a high risk of damage or disclosure of data.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring, Compliance

Security Impact

For all the environments, uncleaned malware means that there is still malware located in your environment. For environments that are handling GDPR, article 32 requires that you regularly test, assess and evaluate the effectiveness of your implemented technical and organizational security controls. If the Authority executes their powers and your Organization is in the scope of a Privacy Audit you need to demonstrate compliance (Article 58). Also in case you face a breach and individuals are impacted they have the right to compensation of the damage - if an organization can prove that they have done everything appropriate to the risk and deployed proper countermeasures, they shouldn't be liable (Article 82). Clearing out viruses can be considered in most cases as appropriate and your organization should be able to prove compliance.

Alert Volume

Low

SPL Difficulty

Basic

Data Availability

Bad

Journey

Stage 1

MITRE ATT&CK Tactics

Execution

Initial Access

MITRE ATT&CK Techniques

User Execution

Drive-by Compromise

Spearphishing Attachment

Spearphishing Link

Phishing

Spearphishing Attachment

Spearphishing Link

MITRE Threat Groups

RTM

APT32

Elderwood

PLATINUM

Patchwork

Lazarus Group

Leafminer

Darkhotel

APT19

Turla

BRONZE BUTLER

Dragonfly 2.0

APT38

GOLD SOUTHFIELD

Windshift

Dragonfly

PROMETHIUM

Threat Group-3390

Dark Caracal

APT37

Data Sources

Anti-Virus or Anti-Malware

GDPR Relevance
Problem Despite initial detection from traditional anti-malware tools, malware often persists undetected on endpoints. This can occur when malware uses evasive techniques to spread to other endpoints without triggering an alert, or if an infection or re-infection occurs due to incomplete remediation or a response that does not address the root of the infection. Impact Uncleaned malware puts digital systems at risk. For any environments/systems that are involved in processing personal data, this situation can be critical, and especially so in a GDPR context. Article 32 of the GDPR requires that organizations regularly test, assess and evaluate effectiveness of implemented technical and organizational security controls. In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82). Resolution Path Removing malware infections that antivirus and other legacy endpoint protection software cannot remove (whether due to file permissions or other configurations that prevents easy quarantine or cleaning) can be considered in many cases appropriate, and helps to demonstrate compliance .

GDPR Relevance

Problem

Despite initial detection from traditional anti-malware tools, malware often persists undetected on endpoints. This can occur when malware uses evasive techniques to spread to other endpoints without triggering an alert, or if an infection or re-infection occurs due to incomplete remediation or a response that does not address the root of the infection.

Impact

Uncleaned malware puts digital systems at risk. For any environments/systems that are involved in processing personal data, this situation can be critical, and especially so in a GDPR context. Article 32 of the GDPR requires that organizations regularly test, assess and evaluate effectiveness of implemented technical and organizational security controls. In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82).

Resolution Path

Removing malware infections that antivirus and other legacy endpoint protection software cannot remove (whether due to file permissions or other configurations that prevents easy quarantine or cleaning) can be considered in many cases appropriate, and helps to demonstrate compliance

How to Implement
With Anti-Malware logs onboard, these searches should work easily, particularly if you use a Splunk Add-on that maps the logs to the Common Information Model (search on Splunkbase!).

Known False Positives
No known false positives at this time.

How To Respond
When this occurs, you should begin a standard incident response process on this host.

Help
Endpoint Uncleaned Malware Detection Help This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which a virus is not cleaned. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

Help