November 14, 2019

If Antivirus alerts, and nobody is around to hear it…does it make a sound?– WST

It may not make a sound (depending on your desktop notification settings) but the danger is very real.  Antivirus (AV), or more generally, antimalware controls, have been around for a long time.  They are an imperfect, but important layer of your defense-in-depth.  The problem is that it is still misunderstood in many cases.  Antivirus marketing, with all of the AI, machine learning, mesh…whatever, makes it sound like their software will catch everything and you can rest easy, knowing that your AV software sees all.  That is unfortunately not the case.  What antimalware can do for you however, is make noise.

Endpoint antivirus is like the proverbial tripwire with cans strung along it.  It won’t stop an intruder, but it can let you know someone is up to no good.  Many times, during Penetration Tests, our initial payloads are not caught, but the fancy hacker tools we attempt to utilize to further our access DO get caught.  So, monitoring antivirus alerts is essential.  Even more essential, is not assuming that because something is quarantined, that is all there is, because malware is complex and sometimes only one module gets removed, leaving the rest untouched.  Bottom line always assume that your antivirus only alerted on part of the threat.  All alerts need to be carefully followed up on, and when in doubt, the affected system should be reimaged.  Better safe than sorry.

Past Weekly Security Tips – WST