Detect and Investigate Malware

Detecting malware and investigating malware-infected hosts is common task for a security operations team that helps improve the security posture of their organization. Traditional anti-malware products can be effective in detecting known malware, but they can fail when faced with new or evolving malware types.

Workflow

Review

Start with the Security Posture dashboard, which represents a summary of all notable event activity. In this use case, the Notable Events Over Time has a spike in endpoint activity, representing suspicious activity on the hosts. A high number of Host With A Recurring Malware Infection notable events indicates an ongoing issue.

Infected Host Details

Click and review the details of one of the Host With A Recurring Malware Infection events and continue the investigation with destination IP address of the event on the Asset Investigator dashboard.

Malware Attacks

The Malware Attacks swimlane shows a large number of Malware Attacks attributed to this host. By focusing on the host with unknown malware signature and pivoting to the search view gives more details about the infected host and determining if the malware-infected host downloaded suspicious content after becoming infected.

Determine the Spread of Malware

The destination IP associated with the malware event on the host is a web proxy server, and the traffic is recognized to be an executable file downloaded from a website. By conducting a new search, you can determine if similar downloads were made by other hosts from the same domain, locate another host that downloaded executable files from the same domain and take action to quarantine the host.

Initiate Remedial Activity

Quarantining the infected host limits the adverse impact from the malware. Probing deeper into the logs provided additional valuable information such as the domain being used to download the suspicious files, allowing you to identify other potentially infected hosts. Now, you can create a report of those hosts, export it, and share it with the endpoint administrator for further investigation and malware removal.