I’m often quite critical of anti-virus and it’s poor ability to actually detect most of the viruses that a computer is likely to see in normal operation. Anti-virus can detect what it can detect, and that means that generally if the AV engine detects malware, the malware was probably blocked from getting a foot hold on the computer. In my experience, that has lead to apathy towards anti-virus logs: like watching blocked firewall logs, AV logs show you what was successfully blocked. As I’ve mentioned on my cyber security podcast a number of times, there are a few important reasons to pay attention to those AV logs.
First, AV logs that show detected malware on servers, particularly where the server is not a file server, should prompt some investigation. Frequently, some of the tools an attacker will try to push to a target server will be caught by an AV engine and deleted or quarantined. The attacker may have to iterate through a few different tools to find one that is not detected prior to moving forward in the attack. Paying attention to AV logs in this circumstance provides an opportunity to identify an attack during the early stages. I’ve seen this technique most effectively used on Internet facing web servers, where almost any AV detection is bound to be an indication of an active attack.
Second, on workstations , AV detection events will necessarily be more common than on non-interactive servers, due to the nature of email attachments, web browsing, downloads, USB drives and so on. In this case, it is more reasonable to accept that AV blocked a particular piece of malware, and generally unworkable to chase after each detected event. However, there are two opportunities to leverage AV logs in this circumstance to shut down infections. If a particular workstation is detecting many pieces of malware over a relatively short time, this may be an indication that the person using the workstation is doing something inappropriate or that the system has some other undetected malware infection and AV is catching some second order infection attempt. In either case, the workstation likely deserves a look.
Additionally, on workstations, certain kinds of malware detection events uncovered during full drive scans should warrant a look at the computer. Frequently, a piece of malware will not be detected at first, but as other organizations find and submit samples of the malware, AV detection will improve and a previously undetected infection is suddenly detected.
I think it’s important to reiterate that AV is not all that effective at preventing malware infections, however most of us have significant investments in our AV infrastructure and we ought to looking for ways to ensure we are getting the best leverage out of the tools that we have deployed in our environments.
Have you found a clever way to use AV? Post a message below.