In-Scope Device with Outdated Anti-Malware Found

Description

Alerts when a GDPR-tagged system has out of date malware definitions, which would conflict with GDPR's requirement to maintain a secure environment.


Use Case

Security Monitoring, Compliance

Category

GDPR, Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 4

Data Sources

Anti-Virus or Anti-Malware

   GDPR Relevance

Problem:

Similar to High Number of Hosts Not Updating Malware Signatures and Detection of Uncleaned Malware on Endpoint, malware can persist if an endpoint protection solution is not updating its malware signatures. Even a single host with outdated anti-malware can indicate an infection. If that host is tagged under the GDPR category, then immediate remediation is required to address that non-compliant condition.

Impact:

When environments that are involved in processing personal data include systems with outdated anti-malware protection (or lacking protection altogether), then those systems are at high risk and therefore out of compliance with the GDPR regulation to maintain and prove privacy requirements are being met per Article 32, Article 58, and Article 82. See above methods, High Number of Hosts Not Updating Malware Signatures and Detection of Uncleaned Malware on Endpoint.

Resolution Path:

The data mapping exercise from the DPO can inform which systems are in-scope -- that is, those systems that are associated with the GDPR category. From there, identify the in-scope systems with outdated anti-malware or lacking anti-malware protection, pinpoint the root issue for updates not occurring, and remediate those hosts by configuring them or the environment appropriately, depending on what the root issue turns out to be. Also see above methods, High Number of Hosts Not Updating Malware Signatures and Detection of Uncleaned Malware on Endpoint.

   How to Implement

First, use your data mapping results to build a lookup that associates systems to their GDPR category. This particular search usually finds most of its success with just Symantec AV. Many Anti-Virus products are found to provide insufficient logging to be able to see when the definitions are updated (often, just when there is malware found). If you are using Symantec AV and followed the data onboarding guide, this should work automatically. If you did not follow the data onboarding guide, make sure that your sourcetypes and indexes match. Always hard-code your sourcetypes and indexes rather than doing index=* in searches.

   Known False Positives

No known false positives at this time.

   How To Respond

When this fires, look on the host to see why the Anti-Virus isn't updating. If you don't see an obvious reason (e.g., specific and logical error), then it may be worth investigating that host to see if there are any other suspicious events that have occurred to rule out an infection.

   Help

In-Scope Device with Outdated Anti-Malware Found Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Symantec Endpoint Protection logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Symantec Endpoint Protection or the Common Information Model.

SPL for In-Scope Device with Outdated Anti-Malware Found

Demo Data

First we bring in our basic demo dataset, Symantec Endpoint Operational Logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Next we use a relatively complicated stats command to track the time of the last update, and the time of the last error.
Next we filter for the events where the time of the last update was more than three days ago, or where the last error was more recent than the last update.
Next we look up the host in the GDPR categorization lookup. Because we only care about GDPR hosts for this example, we filter for only the hosts that are in scope for GDPR.
Finally, we format the timestamps in a human readable way.

Live Data

First we bring in our basic dataset, Symantec Endpoint Operational Logs.
Next we use a relatively complicated stats command to track the time of the last update, and the time of the last error.
Next we filter for the events where the time of the last update was more than three days ago, or where the last error was more recent than the last update.
Next we look up the host in the GDPR categorization lookup. Because we only care about GDPR hosts for this example, we filter for only the hosts that are in scope for GDPR.
Finally, we format the timestamps in a human readable way.

Screenshot of Demo Data