Recommendations for monitoring Virus or Cryptolockers outbreaks

Mike_D · September 21, 2020, 7:46pm

Sorry for the “stupid question”, but what is your strategy for monitoring virus or cryptolockers outbreaks?
What about outdated AV signatures?
The marketing documentation mentions malware monitoring but no further details

Anthony · September 25, 2020, 3:09pm

I think it would be a case of building out monitoring alerts for the various AV providers based on what they log in eventvwr.

This might be something a community wiki would be helpful with, it would be hard for Simple Help to keep track of all providers out there but collectively I think we could do a pretty good job of putting together the triggers we need for a variety of products.

Outdated signatures is a bit tricky. I think with Windows Defender there are Powershell cmdlets or modules that can be used to get last update info, so you could script a task to run and compare the last update to the date now and raise an alert if it’s above a threshold. But other vendors I’m not too sure…

For those who use managed AV the AV vendor’s alerting might solve the problem for you, but it lacks that single pane of glass.

Another RMM vendor has a third party plugin that has a great feature that allows you to isolate a machine if it gets a virus - you can still access it remotely and troubleshoot, but it can’t access anything else on the network or internet. I’m guessing this can be scripted with Powershell pretty easily, allowing the PC to only contact your Simple Help server. But I’ve never gotten around to it… one day!

Mike_D · September 25, 2020, 3:14pm

Hi Anthony,
Thanks for your comments
I will look into the isolation and would make a lot of sense to do so without an IDS/IPS, but we still need to have reliable virus detection.
I will probably go the long route to get eventids from each AV vendor and act on those
When a wiki becomes available, I will share my findings

Thanks

Anthony · September 25, 2020, 8:40pm

I should probably do the same myself, I rely on events being piped to the PSA by the AV provider’s management console. It would make sense to do it directly via SH.

Darrell_Swafford · October 12, 2020, 6:50pm

Hi all, all antivirus on windows report back to windows in some way.

Simple does the very basics to tell if AV is installed and running. You can do the following:
Go to alerts.
New alerts
Add threshold
Select Applications
Select Antivirus status

Alot of the information you want can be pulled via powershell:

function Get-AntiVirusProduct {
    [CmdletBinding()]
    param (
    [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
    [Alias('name')]
    $computername=$env:computername


    )

    #$AntivirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Query $wmiQuery  @psboundparameters # -ErrorVariable myError -ErrorAction 'SilentlyContinue' # did not work            
     $AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct  -ComputerName $computername

    $ret = @()
    foreach($AntiVirusProduct in $AntiVirusProducts){
        #Switch to determine the status of antivirus definitions and real-time protection.
        #The values in this switch-statement are retrieved from the following website: http://community.kaseya.com/resources/m/knowexch/1020.aspx
        switch ($AntiVirusProduct.productState) {
        "262144" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
            "262160" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
            "266240" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
            "266256" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
            "393216" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
            "393232" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
            "393488" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
            "397312" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
            "397328" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
            "397584" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
        default {$defstatus = "Unknown" ;$rtstatus = "Unknown"}
            }

        #Create hash-table for each computer
        $ht = @{}
        $ht.Computername = $computername
        $ht.Name = $AntiVirusProduct.displayName
        $ht.'Product GUID' = $AntiVirusProduct.instanceGuid
        $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe
        $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe
        $ht.'Definition Status' = $defstatus
        $ht.'Real-time Protection Status' = $rtstatus


        #Create a new object for each computer
        $ret += New-Object -TypeName PSObject -Property $ht 
    }
    Return $ret
} 
Get-AntiVirusProduct

Once you have that info you can create more defined alerts to suit your need.


Usually any enterprise suite for av has a portal you can setup custom alerts for.
I have had great success with Bitdefender GravityZone enterprise.