So You Got an AV Alert. Now What?

Published: 2011-03-17. Last Updated: 2011-03-17 13:14:44 UTC
by Kevin Liston (Version: 1)
5 comment(s)

What do you do when you receive an antivirus alert on your home system?

You're checking your mail in the morning before heading to work, you click on a link sent to you by a friend and your AV throws up an alert. What do you do next?

Is it time to start from scratch and rebuild the system?

In that particular scenario, probably not. The antivirus was likely successful in thwarting the attempt to compromise your system. You can most likely get away with booting up in safe mode (we're talking about windows here not your smartphone) updating signatures and running a full scan. A quick look at autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902) or hijackthis (http://free.antivirus.com/hijackthis/) output would also be a sound step-- in fact, you should do that before you have an alert, just to get a baseline.

Then look into how you were exposed and report that appropriately.

When is the Worst Time to Get an Alert?

Having an alert pop-up in the middle of your Internet activities is one thing. Yet it's worse to receive alerts right after the signatures have been updated. Now you don't have much information on how long you've been compromised, and the odds that the chain-of-compromise (http://isc.sans.edu/diary.html?storyid=9880) was complete is much larger.

This is when it's time to have a serious discussion with yourself about rebuilding your system.

What Does that Alert Tell You Anyway?

Not all AV alerts are created equally. There are alerts that are sensitive, alerts that are specific, and alerts that are precise. Sensitive alerts are good at finding malware, viruses don't easily get by it. The problem is that sensitive alerts will also flag non-malicious files in its zeal to detect viruses, leading to False Positive errors. Specific alerts, on the other hand, are very good about being certain that a detection is actually malicious. Its caution can create scenarios where it will miss viruses, aka False Negatives. A precise rule will tell you what virus you have, not simply that you have a virus. Just remember to not confuse precision with correctness. Your alert may tell you SillyFDC instead of a generic Trojan Horse, but it could still be a false positive or simply categorize anything that creates autorun.inf on all USB devices as SillyFDC instead of differentiating SillyFDC from a Stuxnet spreader.

As you can see it's a delicate balancing act to get the sensitivity, specificity and precision right in anti-virus solutions-- or any rule/signature based system for that matter. Are you aware of any anti-virus solutions that allows the client to tune these values?

How this Gets Tricky in the Workplace

It's one thing to make a clean-versus-rebuild decision based on your first-hand knowledge about how the system was exposed (i.e. Did I see the cause that led to the detection, or did this detect an old infection?) but yet another when you're sitting at the console receiving alerts from tens-of-thousands of systems in your organization. How do you make the clean-or-rebuild decision in that situation? How do you differentiate the broken compromise-chains from detections of successful-infections?

Like most difficult questions, the answer is: it depends. It's also a question best left answered by a security professional familiar with your environment, since they will have a better handle on your firm's needs and how to find the right balance point between the need to clean versus the need to rebuild.

What Alerts Could Include to Help the Situation

 The anti-virus alert itself could include a little bit more information to help address the precision problem and equip the full-time analyst with better information to answer the clean-versus-rebuild question.

Not having a centralized collection point for quarantined files sometimes causes me headaches at the day job. Having a simple way to recover the identified file is always a plus for large organizations that can afford and justify the costs of malware analysis and reverse-engineering. There are not a lot of organizations that are in that position, so I'm not surprised when this feature isn't available. Mostly I see quarantines used to recover gracefully from False Positive events.

You can eliminate the need to deploy a technician or a remote-agent to perform a live-response on a machine if the alert delivers a little more information than just the signature name, filename, and file location that most solutions provide. Ideally the report would include:

With the MD5 and the size of the file an analyst could leverage existing malware collections like virustotal (http://www.virustotal.com/search.html) or threat expert (http://www.threatexpert.com/) to gain more insight into the malware which would improve the precision of the results. The value could also be compared to known-good lists such as Bit9 (http://fileadvisor.bit9.com/Services/search.aspx)

Fuzzy hashes could be compared to other files in the day's alerts or recent events to determine similarity to other malware events.

Using the time of the alert and the MAC times of the file, an analyst would be better equipped to determine if the compromise-chain was broken or if this detection followed soon after a signature update.

Conclusion

 Antivirus alerts can be a very useful source of intelligence for your firm.  Don't ignore them because "AV took care of the problem."

 

Keywords: antivirus
5 comment(s)

Comments

NO TIME is a good time to get an AV alert...

Malware has a way of calling in others in the family to have a party... so, 1st thing:

1. Scan the whole system.
2. 'Nice that your AV alerted you, but maybe you'd want to give a few others a chance to kill the bad boyzz.
3. Try:
- http://www.malwarebytes.org/ (Freebie)
-and-
- http://www.safer-networking.org/en/download/index.html (another freebie).

... and forever be suspicious of the system that gets whacked. No more online banking, thanks - Go visit your tellers, instead. They'll appreciate it.
.
Last truly legitimate AV detection was a three-month old infection in the browser cache. My firewall had stopped it dead in its tracks when it breached but the stage loader was still present on disk until the AV found it.

I did not find it necessary to clean my system. It hadn't ever been running with Admin rights anyway.
After the alert, if the AV has not already cleaned the system, then clean. Then I Google the threat. Is this sucker really gone? Any reports of this being a real pain to be sure its gone? Do my normal tools work on it (AV and then malwarebytes, newest definitions in safe mode). If there is any doubt, make sure the data is safely backed up and then nuke it from space. Putting on a clean image or a regular install is worth the time for the peace of mind.
Many websites have been known to serve up multiple attack vectors. Just because your AV picked one off doesn't mean there aren't others that got through undetected at the same time.
First thing to check is that it is a legitimate alert. I've had an infection that posed as an authentic virus alert but the link it presented to clean it was only leading you to more infections. Google (preferably from a different machine) the information it provides to determine if it is legit.

Diary Archives