Home » Analyzing Malware Threat
Applicable For Endpoint Central MSP 
 
 

Analyzing a Malware Threat

This document outlines a step-by-step process for investigating and addressing potential malware intrusion using Endpoint Central's Next-Gen Antivirus feature. Timely and precise analysis is essential to accurately determine the extent of a security breach and implement appropriate countermeasures.

Understanding Alert

Endpoint Central's threat detection engine has flagged suspicious activity on your network. To accurately assess the situation, it's crucial to verify the nature of the intrusion before categorizing the breach.

Time of Intrusion

Utilize the Malware Protection tab for key information:

  1. Infected Devices: The number of affected devices
  2. Incident Status: Resolution stage
  3. Detected On: The timing of the intrusion
  4. Alerts: The number of alerts generated
  5. Action: Option to categorize the intrusion as True/False Positive

Incident tab

Analyzing Received Alert

Click the incident and access the Summary section to view crucial incident details.

Incident Summary Section

For the first level of analysis:

  1. Verify the authenticity of the application signature to detect any potential tampering or unauthorized modifications.
  2. Confirm the validity of the SHA-256 value by cross-referencing it on VirusTotal to check for any indications of malicious activity.
  3. Retrieve information about the first infected device, including details and timestamp, to effectively track and analyze the incident.
  4. Leverage organizational and process details to assess the alert's credibility, distinguishing between true and false positives.
  5. The alert received can be further classified based on the configurations as:
    • Incident detected
    • Incident prevented
    • Incident blocked

 

Parameter Detected Incident Prevented Incident Blocked Intrusion
Initial Status Incident has been detected. Incident has been successfully prevented. Attempted intrusion has been blocked.
Urgency Urgent attention is needed. No immediate urgency, as the incident has been prevented. Urgent attention may be needed, but the intrusion is blocked.
User Action Required Investigate and label the intrusion as true/false positive. Further analysis can be performed to enhance security. Immediate user action may be required, as the intrusion is blocked.
Proactive Measures Investigate and label the intrusion to ensure system security. Enhance security measures based on additional analysis. Prevent and block the intrusion, ensuring network stability.
Follow-up Action Modify configurations to enable prevention/blocking in future incidents. Investigate additional details to enhance security measures. Monitor for any potential future incidents.
File Modifications Restore the device to its pre-malware state if file modifications occurred. None required Restore the device to its pre-malware state if file modifications occurred.
System Stability Potential impact on system integrity and security. System security and stability are ensured. System integrity and security are maintained.

 

For the second level of analysis:

Expand the Incident Summary in the Alerts tab. Gain granular insights by examining the process source, child processes, and command-line tools. Clicking a child process provides detailed information, including SHA value, image path, and command line details.

Antivirus Process Tree

VirusTotal Verification

  1. True Positive:

    Validation through VirusTotal can affirm the hash as a true positive, offering conclusive evidence of malware attempting infiltration. VirusTotal conducts a comprehensive analysis using diverse antivirus scan engines to scrutinize files for potential threats. Upon verification, take proactive security measures by quarantining the infected device.

    Proceed to quarantine the infected device.

    VirusTotal AV

  2. Unclear/ No Results:

    Clicking VirusTotal may sometimes provide unclear or no results. In such cases, further investigation is required.

    • Remotely access or manually check the affected device.
    • Look for unusual disk activity, new accounts, signs of ransomware and file encryption.
    • If it is a true positive, proceed with an incident response plan.
    • If it is a false positive, refer to the guide on how to exclude false positives.