Endpoint Uncleaned Malware Detection
Endpoint Uncleaned Malware Detection
Description
Detect a system with a malware detection that was not properly cleaned, as they carry a high risk of damage or disclosure of data.
Content Mapping
This content is not mapped to any local saved search. Add mapping
GDPR Relevance |
---|
ProblemDespite initial detection from traditional anti-malware tools, malware often persists undetected on endpoints. This can occur when malware uses evasive techniques to spread to other endpoints without triggering an alert, or if an infection or re-infection occurs due to incomplete remediation or a response that does not address the root of the infection. ImpactUncleaned malware puts digital systems at risk. For any environments/systems that are involved in processing personal data, this situation can be critical, and especially so in a GDPR context. Article 32 of the GDPR requires that organizations regularly test, assess and evaluate effectiveness of implemented technical and organizational security controls. In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82). Resolution PathRemoving malware infections that antivirus and other legacy endpoint protection software cannot remove (whether due to file permissions or other configurations that prevents easy quarantine or cleaning) can be considered in many cases appropriate, and helps to demonstrate compliance . |
How to Implement |
---|
With Anti-Malware logs onboard, these searches should work easily, particularly if you use a Splunk Add-on that maps the logs to the Common Information Model (search on Splunkbase!). |
Known False Positives |
---|
No known false positives at this time. |
How To Respond |
---|
When this occurs, you should begin a standard incident response process on this host. |
Help |
---|
Endpoint Uncleaned Malware Detection HelpThis example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which a virus is not cleaned. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model. |
SPL for Endpoint Uncleaned Malware Detection
Demo Data
| First we bring in our basic demo dataset. In this case, we are using risk events from Symantec Endpoint Protection. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data. |
| To detect uncleaned Malware, we look for where the action taken is not the primary or secondary action expected. |
| Finally we put everything in a nice and usable table! |
Live Data
| First we bring in our basic dataset. In this case, we are using risk events from Symantec Endpoint Protection. |
| To detect uncleaned Malware, we look for where the action taken is not the primary or secondary action expected. |
| Finally we put everything in a nice and usable table! |
Screenshot of Demo Data
