Antivirus/antimalware tools play an important role as part of an overall security architecture. One of the many capabilities built into these products is the ability to remove malicious programs discovered on the system during a scan. After all, despite all the technology and caution, malware can find its way onto any system. What happens next?
A Host Infected in the Organization
Let’s say an administrator charged with overseeing corporate antivirus notices an alert indicating that malware was found on a workstation or server. A similar situation arises when an administrator runs an ad hoc scan and encounters a malware warning. The person examines the alert and determines that malware had already executed the on the system prior to being discovered. If the antivirus tool provides the option to automatically disinfect the system, it’s tempting to click “Remove” and move on to fighting other fires.
Antivirus vendors invest significant R&D efforts into creating robust malware removal capabilities, especially for malicious programs most commonly encountered by their users. Yet, in a corporate setting, I am concerned about organizations considering that the security incident has been fully resolved once the antivirus tool removed malware.
The Discovered Specimen Could Be Just a Start
If one malware specimen was encountered on the system, there’s a reasonable chance that there is other malware there that may be still undetected. Moreover, it is possible that an attacker already took advantage of the now-removed malicious program to further compromise the system or other IT resources in the organization. To know for sure, deeper forensic analysis of the incident may be required.
When encountering an infected host in the corporate environment, be weary of relying solely on the antivirus tool’s ability to disinfect the host. If you can, take the time to look for other indicators of compromise to assess the scope and severity of the incident. Investigate further if there are reasons to be concerned. Once you’re ready to eradicate malware, strongly consider reimaging the system or restoring it from backup, instead of automatically disinfecting it and assuming that the situation has been resolved.
Hand-picked related posts:
- When Does a Suspicious Event Qualify as a Security Incident?
- Asymmetry of People’s Time in Security Incidents
- Key Challenges of Combating Malware in the Enterprise