January 23, 2020

Infosec Blocking and Tackling – Antivirus – WST

Antivirus software.  We all have it.  Enough said right?  Or is there more to it?  Antivirus (or anti-malware) is a control we often see misunderstood.  Opinions of network and security administrators run the gamut between “We have antivirus software, we are protected!” to “Antivirus doesn’t do anything, so we don’t bother doing much with it.”  As is often the case, the truth lies somewhere in the middle.

Even the best machine-learning, heuristic, AI-based (insert buzzword here) anti-malware solutions can and will miss things.  But that isn’t the point, where anti-malware really shines is as detective, rather than a preventative control.  Attackers can eventually bypass your antivirus, but it may take a few tries.  If you are watching, it can be your early-warning to trouble.  It probably won’t stop someone, but it will make enough noise to let you know they are there.  So, the key to proper anti-malware controls is to make sure you are watching and respond appropriately when you see detections.

Here are our recommendations on how to best use these controls:

  • It may go without saying, but make sure you have anti-malware software on all systems. Workstations, servers, etc.  It also goes without saying, but make sure it is enabled and working.  Anyone who has administered antivirus knows it is easy to have a system drop “off the radar” in the AV management console.  Do periodic audits of system counts in your antivirus console vs other management tools and system inventories to ensure everything is accounted for.
  • Reduce the noise. Make sure your system list in the antivirus console is up-to-date.  Having a console cluttered with hundreds of retired or offline systems makes spotting real issues harder. System build and change control processes should include not only adding antivirus, but also removal from the console upon retirement or reinstalls.
  • In the same way, find the root cause and eliminate false positive alerts and detections. Most anti-malware solutions let you whitelist executables or files that routinely get detected.  Once you verify false-positives, resolve them so they don’t keep flooding you with alerts, and make genuine detections easier to miss.
  • True antivirus detections should generate proactive alerts. Whether this is an email, or an automatically generated ticket, make sure it goes to multiple people.  That way if someone is sick, on vacation, or just plain busy, nothing gets overlooked.
  • Careful follow up on suspicious detections is essential. Even if the threat was quarantined or deleted, investigation is still warranted.  Why?  Because in many cases, the item detected and deleted was only part of the threat.  The initial foothold can sometimes remain.  Have a process and the skillsets available to ensure a system is clean.  If there is any doubt at all…reimage the system.  “Nuke it from orbit, it’s the only way to be sure.”
  • If anti-malware management is outsourced, maybe to an MSP, all of this still applies, it just becomes a job of making sure your vendor is doing it. Like the other tasks they are doing for you, you need to have visibility into what is going on.  Ensure you are getting detailed reports on covered systems (so you can make sure the names and counts make sense), detections and the follow up done, and insist you are included on email alerts generated by your antivirus system.  That way, if you see alerts, and don’t see your MSP following up, you can ask questions.

Past Weekly Security Tips – WST