Navigation :

Endpoint Uncleaned Malware Detection

Description

Detect a system with a malware detection that was not properly cleaned, as they carry a high risk of damage or disclosure of data.

Use Case

Security Monitoring, Compliance

Security Impact

For all the environments, uncleaned malware means that there is still malware located in your environment. For environments that are handling GDPR, article 32 requires that you regularly test, assess and evaluate the effectiveness of your implemented technical and organizational security controls. If the Authority executes their powers and your Organization is in the scope of a Privacy Audit you need to demonstrate compliance (Article 58). Also in case you face a breach and individuals are impacted they have the right to compensation of the damage - if an organization can prove that they have done everything appropriate to the risk and deployed proper countermeasures, they shouldn't be liable (Article 82). Clearing out viruses can be considered in most cases as appropriate and your organization should be able to prove compliance.

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Execution

Initial Access

MITRE ATT&CK Techniques

User Execution

Drive-by Compromise

Spearphishing Attachment

Spearphishing Link

MITRE Threat Groups

APT12

APT19

APT28

APT29

APT32

APT33

APT37

APT38

APT39

APT41

BRONZE BUTLER

Cobalt Group

Dark Caracal

DarkHydrus

Darkhotel

Dragonfly 2.0

Elderwood

FIN4

FIN7

FIN8

Gallmaker

Gorgon Group

Kimsuky

Lazarus Group

Leafminer

Leviathan

Machete

Magic Hound

MuddyWater

Night Dragon

OilRig

PLATINUM

Patchwork

Rancor

Silence

Stolen Pencil

TA459

TA505

The White Company

Threat Group-3390

Tropic Trooper

Turla

admin@338

menuPass

Data Sources

Anti-Virus or Anti-Malware

GDPR Relevance
Problem Despite initial detection from traditional anti-malware tools, malware often persists undetected on endpoints. This can occur when malware uses evasive techniques to spread to other endpoints without triggering an alert, or if an infection or re-infection occurs due to incomplete remediation or a response that does not address the root of the infection. Impact Uncleaned malware puts digital systems at risk. For any environments/systems that are involved in processing personal data, this situation can be critical, and especially so in a GDPR context. Article 32 of the GDPR requires that organizations regularly test, assess and evaluate effectiveness of implemented technical and organizational security controls. In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82). Resolution Path Removing malware infections that antivirus and other legacy endpoint protection software cannot remove (whether due to file permissions or other configurations that prevents easy quarantine or cleaning) can be considered in many cases appropriate, and helps to demonstrate compliance .

GDPR Relevance

Problem

Despite initial detection from traditional anti-malware tools, malware often persists undetected on endpoints. This can occur when malware uses evasive techniques to spread to other endpoints without triggering an alert, or if an infection or re-infection occurs due to incomplete remediation or a response that does not address the root of the infection.

Impact

Uncleaned malware puts digital systems at risk. For any environments/systems that are involved in processing personal data, this situation can be critical, and especially so in a GDPR context. Article 32 of the GDPR requires that organizations regularly test, assess and evaluate effectiveness of implemented technical and organizational security controls. In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82).

Resolution Path

Removing malware infections that antivirus and other legacy endpoint protection software cannot remove (whether due to file permissions or other configurations that prevents easy quarantine or cleaning) can be considered in many cases appropriate, and helps to demonstrate compliance

How to Implement
With Anti-Malware logs onboard, these searches should work easily, particularly if you use a Splunk Add-on that maps the logs to the Common Information Model (search on Splunkbase!).

Known False Positives
No known false positives at this time.

How To Respond
When this occurs, you should begin a standard incident response process on this host.

Help
Endpoint Uncleaned Malware Detection Help This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which a virus is not cleaned. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

Help