What do you do when you receive an antivirus alert on your home system?
You're checking your mail in the morning before heading to work, you click on a link sent to you by a friend and your AV throws up an alert. What do you do next?
Is it time to start from scratch and rebuild the system?
In that particular scenario, probably not. The antivirus was likely successful in thwarting the attempt to compromise your system. You can most likely get away with booting up in safe mode (we're talking about windows here not your smartphone) updating signatures and running a full scan. A quick look at autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902) or hijackthis (http://free.antivirus.com/hijackthis/) output would also be a sound step-- in fact, you should do that before you have an alert, just to get a baseline.
Then look into how you were exposed and report that appropriately.
When is the Worst Time to Get an Alert?
Having an alert pop-up in the middle of your Internet activities is one thing. Yet it's worse to receive alerts right after the signatures have been updated. Now you don't have much information on how long you've been compromised, and the odds that the chain-of-compromise (http://isc.sans.edu/diary.html?storyid=9880) was complete is much larger.
This is when it's time to have a serious discussion with yourself about rebuilding your system.
What Does that Alert Tell You Anyway?
Not all AV alerts are created equally. There are alerts that are sensitive, alerts that are specific, and alerts that are precise. Sensitive alerts are good at finding malware, viruses don't easily get by it. The problem is that sensitive alerts will also flag non-malicious files in its zeal to detect viruses, leading to False Positive errors. Specific alerts, on the other hand, are very good about being certain that a detection is actually malicious. Its caution can create scenarios where it will miss viruses, aka False Negatives. A precise rule will tell you what virus you have, not simply that you have a virus. Just remember to not confuse precision with correctness. Your alert may tell you SillyFDC instead of a generic Trojan Horse, but it could still be a false positive or simply categorize anything that creates autorun.inf on all USB devices as SillyFDC instead of differentiating SillyFDC from a Stuxnet spreader.
As you can see it's a delicate balancing act to get the sensitivity, specificity and precision right in anti-virus solutions-- or any rule/signature based system for that matter. Are you aware of any anti-virus solutions that allows the client to tune these values?
How this Gets Tricky in the Workplace
It's one thing to make a clean-versus-rebuild decision based on your first-hand knowledge about how the system was exposed (i.e. Did I see the cause that led to the detection, or did this detect an old infection?) but yet another when you're sitting at the console receiving alerts from tens-of-thousands of systems in your organization. How do you make the clean-or-rebuild decision in that situation? How do you differentiate the broken compromise-chains from detections of successful-infections?
Like most difficult questions, the answer is: it depends. It's also a question best left answered by a security professional familiar with your environment, since they will have a better handle on your firm's needs and how to find the right balance point between the need to clean versus the need to rebuild.
What Alerts Could Include to Help the Situation
The anti-virus alert itself could include a little bit more information to help address the precision problem and equip the full-time analyst with better information to answer the clean-versus-rebuild question.
Not having a centralized collection point for quarantined files sometimes causes me headaches at the day job. Having a simple way to recover the identified file is always a plus for large organizations that can afford and justify the costs of malware analysis and reverse-engineering. There are not a lot of organizations that are in that position, so I'm not surprised when this feature isn't available. Mostly I see quarantines used to recover gracefully from False Positive events.
You can eliminate the need to deploy a technician or a remote-agent to perform a live-response on a machine if the alert delivers a little more information than just the signature name, filename, and file location that most solutions provide. Ideally the report would include:
Size of the file in bytes
MD5 or other hash value of the file (even a fuzy hash like ssdeep, http://ssdeep.sourceforge.net/, while we're asking for the moon)
The Modified, Accessed and Created times from the file (http://msdn.microsoft.com/en-us/library/ms724290(VS.85).aspx)
With the MD5 and the size of the file an analyst could leverage existing malware collections like virustotal (http://www.virustotal.com/search.html) or threat expert (http://www.threatexpert.com/) to gain more insight into the malware which would improve the precision of the results. The value could also be compared to known-good lists such as Bit9 (http://fileadvisor.bit9.com/Services/search.aspx)
Fuzzy hashes could be compared to other files in the day's alerts or recent events to determine similarity to other malware events.
Using the time of the alert and the MAC times of the file, an analyst would be better equipped to determine if the compromise-chain was broken or if this detection followed soon after a signature update.
Antivirus alerts can be a very useful source of intelligence for your firm. Don't ignore them because AV took care of the problem.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.