Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: 100% Compliant (for 65% of the systems) - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
100% Compliant (for 65% of the systems)


At a community college where I'm helping out whenever they panic on security issues, I recently was confronted with the odd reality of a lingering malware infection on their network, even though they had deployed a custom anti-virus (AV) pattern ("extra.dat") to eradicate the problem. Of course, these days, reliance on anti-virus is somewhat moot to begin with, our recent tally of fresh samples submitted to VirusTotal had AV lagging behind about 8 days or so. If you caught a keylogger spyware, 8 days is plenty to wreak havoc. I usually compare today's AV to the coroner in CSI, he can probably tell what killed you, but won't keep you alive.

But back to the college. Turns out they verify on a weekly basis if all the PCs have a current pattern, and they also verified that all their PCs got the "extra" pattern. The only problem was, their definition of "all" relied on the AV-tool itself. Obviously, if a PC doesn't have anti-virus installed, it won't show up on the anti-virus console. Hence, if your AV claims you have 100% compliance, you might want to check an alternate repository, like for example your Active Directory, to compare numbers. When I ran this test at the college, I found that their network/AD had 51 more workstations than their AV knew about. No wonder they still had frequent hits on the IDS for the backdoor traffic.

Never rely on a single security tool to tell you that everything is fine. Throw two or more sets of data against each other, and investigate discrepancies. Like your fishing or drinking or training buddy, security tools lie. Get acquainted with the usual pattern of lies (or obfuscated truths :), and surprises and disappointments will become less frequent.

 

Daniel

367 Posts
ISC Handler
This is a classic one. We are doing the correlation between AD and AV mgmt tool ourself. There are always some difference. Some are using another AV product for testing purposes etc, some AD machines are dead,so AV mgmt says they are way behind etc. But often there are a few machines that are difficult to get it installed to.

At one point we had GPO that checked on startup, and auto-installed if not present. Maybe it should be reinstated.

But most companies has this problem. When we have SW not performing well with AV, I would rather make exceptions rather than uninstalling AV. It is now a vendor requirement here that their products will run and perform with active AV.
Povl H.

71 Posts
Very good point. I've been in the IT field for over 15 years and inventory has always been a challenge. At a large organization, getting an accurate 99%+ inventory of hardware, software, misc. nodes, and even servers can be a very difficult task.

The situation you described is why "Inventory of Authorized and Unauthorized Devices" is SANS Critical Control #1 and rated "Very High" for attack mitigation. I have a lot of philosophical conversations about why SANS has rated something mundane as inventory as the first critical control as opposed to, for example, critical control #13 - Boundary Defense or even critical control #5 - Malware Defenses. The reason inventory is #1 (and software inventory is #2) is because, as you have discovered, you can't secure what you don't know you have.
da1212

69 Posts
> I would rather make exceptions rather than uninstalling AV. It is now a vendor requirement here that their products will run and perform with active AV.

[I function here as a software vendor] Which is all well and good until we end up coming down to as what happened at one site where we couldn't get it working and believed the AV to be at fault but couldn't prove it. We didn't have a copy of that one locally. I was able to write a 12 line test case that would break on their site every time. Exceptions didn't help. AV vendor was useless to help get it sorted out.

This is the problem with AV. We have had to deal with numerous AV vendors who will not take any responsibility for the issues they cause in the name of protection and will not provide any useful tech support either. Exclusions turn off virus detection, but not misbehavior.
da1212
39 Posts
Anchorman: The Legend of Ron Burgundy --> 60% of the time, it works every time (Panther Cologne)
da1212
1 Posts

Sign Up for Free or Log In to start participating in the conversation!