Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Enterprise Additional Scanning

  • 07-02-2018 9:22am
    #1
    D'Agger
    Registered Users, Registered Users 2 Posts: 13,385 ✭✭✭✭


    Hi All,

    I'm wondering if anybody utilizes additional scanning appliances for local devices when they do report potential malware/virus/virus propogation

    Currently we would take this offline and scan with it's inbuilt AV, pushed by Agent. This seems to be fine, most threats are blocked in the first place & simply reported on, requiring follow up to be cautious. However I'm wondering if this is enough, and should additional scanning i.e. MalwareBytes or Trend Micro products be employed.

    I'm just looking to gauge how you react to local alerts from a scanning POV - do you rely solely on AV or employ some additional solutions such as MalwareBytes Enterprise to give it a thorough scan/scrub before letting it on the network once again.


Comments

  • #2
    Joe Exotic
    Registered Users, Registered Users 2 Posts: 568 ✭✭✭Joe Exotic


    Not going to be really helpful but:

    This really depends on what the scenario is. is this a user endpoint which is reported to have low level malware on it: then maybe a scan to confirm deletion and a a look at the services/processes would suffice, if you have a SIEM then mark the device an monitor.

    If on the other hand its the Lead developers device who has access to all Intellectual Property of the ORG maybe it requires that second scan or even a wipe to be sure !!

    This would also depend on the malware type on the AV vendor.

    Typically for the Low level stuff i Scan and monitor (Also try to find how malware got there and dish out some SEC awareness training to user ::) )


  • #3
    Blowfish
    Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    We'd be similar in that it does depend on the scenario.

    If it's a 'PUP' or low level Adware type stuff, then it's generally handled by first level support who'll double check that it's actually been removed and fire off a second scanner or the like.

    If there's anything more sophisticated, in particular if it was spotted via methods other than your 'standard' AV, the machine is immediately isolated and replaced. The infected machine is generally then passed to me then to dig in to do some analysis of what happened, why it happened and how can we prevent it from happening again.


  • #4
    D'Agger
    Registered Users, Registered Users 2 Posts: 13,385 ✭✭✭✭D'Agger


    Thanks for the responses

    That's essentially what we would employ whereby we'd investigate additional pups etc. with Malwarebytes - using the standalone, free version, just wondering if anybody has deployed an enterprise version for increased scanning capability - both scheduled scans & for incident response as was the case here.

    So there doesn't seem to be anything 'wrong' with our current process of dealing with stuff outside of the scope of regular AV, I'm just wondering if I should look to improve it and wanted to compare to others.


Advertisement