100% Compliant (for 65% of the systems)
At a community college where I'm helping out whenever they panic on security issues, I recently was confronted with the odd reality of a lingering malware infection on their network, even though they had deployed a custom anti-virus (AV) pattern ("extra.dat") to eradicate the problem. Of course, these days, reliance on anti-virus is somewhat moot to begin with, our recent tally of fresh samples submitted to VirusTotal had AV lagging behind about 8 days or so. If you caught a keylogger spyware, 8 days is plenty to wreak havoc. I usually compare today's AV to the coroner in CSI, he can probably tell what killed you, but won't keep you alive.
But back to the college. Turns out they verify on a weekly basis if all the PCs have a current pattern, and they also verified that all their PCs got the "extra" pattern. The only problem was, their definition of "all" relied on the AV-tool itself. Obviously, if a PC doesn't have anti-virus installed, it won't show up on the anti-virus console. Hence, if your AV claims you have 100% compliance, you might want to check an alternate repository, like for example your Active Directory, to compare numbers. When I ran this test at the college, I found that their network/AD had 51 more workstations than their AV knew about. No wonder they still had frequent hits on the IDS for the backdoor traffic.
Never rely on a single security tool to tell you that everything is fine. Throw two or more sets of data against each other, and investigate discrepancies. Like your fishing or drinking or training buddy, security tools lie. Get acquainted with the usual pattern of lies (or obfuscated truths :), and surprises and disappointments will become less frequent.
Comments
At one point we had GPO that checked on startup, and auto-installed if not present. Maybe it should be reinstated.
But most companies has this problem. When we have SW not performing well with AV, I would rather make exceptions rather than uninstalling AV. It is now a vendor requirement here that their products will run and perform with active AV.
PHP
Jun 7th 2013
1 decade ago
The situation you described is why "Inventory of Authorized and Unauthorized Devices" is SANS Critical Control #1 and rated "Very High" for attack mitigation. I have a lot of philosophical conversations about why SANS has rated something mundane as inventory as the first critical control as opposed to, for example, critical control #13 - Boundary Defense or even critical control #5 - Malware Defenses. The reason inventory is #1 (and software inventory is #2) is because, as you have discovered, you can't secure what you don't know you have.
JacL
Jun 7th 2013
1 decade ago
[I function here as a software vendor] Which is all well and good until we end up coming down to as what happened at one site where we couldn't get it working and believed the AV to be at fault but couldn't prove it. We didn't have a copy of that one locally. I was able to write a 12 line test case that would break on their site every time. Exceptions didn't help. AV vendor was useless to help get it sorted out.
This is the problem with AV. We have had to deal with numerous AV vendors who will not take any responsibility for the issues they cause in the name of protection and will not provide any useful tech support either. Exclusions turn off virus detection, but not misbehavior.
Joshua
Jun 7th 2013
1 decade ago
Sam J
Jun 10th 2013
1 decade ago