This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SEM Malware Detection

Stealthychu over 4 years ago

Hi,

I am looking for some advice regarding the malware detecting capabilities of SEM. I am trying to test out how well it can detect some different malicious programs that may makes their way onto end devices such as Trojans, RATs or Worms.

I have an environment set up locally with multiple Windows 10 end devices and a SolarWinds server running on ESXI. All end device successfully connect to and send events to the SEM however when I put malicious .exe files onto a host device then run then the SEM shows no signs of detecting these or what they are doing

.
They are detected and quarantined by Windows Defender but when that is turned off temporarily to test the SEM abilities it does not show any threat events.

From what I have seen, I believe I need to set up specific rules for it to report these events but am un-sure how these rules should be structured or set up to detect and report or prevent these applications/programs.

Any assistance is appreciated.

Top Replies

ecklerwr1 over 4 years ago +2

SEM isn't a malware prevention software... it's a SIEM. It's made to take and correlate all of your security event sources and make sense of all the data. If you have SEP, McAfee, or other software SEM…

Parents

0 ecklerwr1 over 4 years ago

SEM isn't a malware prevention software... it's a SIEM. It's made to take and correlate all of your security event sources and make sense of all the data. If you have SEP, McAfee, or other software SEM can monitor the status of the nodes by using it's connectors to log data about all of these connectors. It can correlate the data from disparate sources and help make sense of it. It's not a replacement for end point AV or anti malware software.
Bill
Cancel
Vote Up +2 Vote Down

Cancel
0 komondor over 3 years ago in reply to ecklerwr1

I am having an issue where the local Microsoft Windows Defender is finding the virus, using the Eicar test file and removing it.
However SEM is not showing any event, it is showing other events from that computer like logon/logoff so it is reporting.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 komondor over 3 years ago in reply to ecklerwr1

I am having an issue where the local Microsoft Windows Defender is finding the virus, using the Eicar test file and removing it.
However SEM is not showing any event, it is showing other events from that computer like logon/logoff so it is reporting.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 komondor over 3 years ago in reply to komondor

It Seems like SEM cannot monitor windows defender?
Cancel
Vote Up 0 Vote Down

Cancel
0 jhavlat over 3 years ago in reply to komondor

I'm not sure on what kind of budget your company has but if you are relying on Windows Defender for malware protection and you want to be able to monitor it I would highly recommend Window Defender ATP. Its not cheap but its an excellent option for any company that needs to meet regulated IT security requirements. ATP also allows you to forward to your syslog server but I wouldn't recommend that unless you were hosting your Solarwind SEM in Azure (otherwise you would be sending you syslog data over the public internet)
Cancel
Vote Up 0 Vote Down

Cancel
0 komondor over 3 years ago in reply to komondor

I found Windows defender listed as being supported but still nothing
https://thwack.solarwinds.com/t5/SEM-Documents/Full-List-of-SEM-Connectors/ta-p/511051
I guess I will open a ticket and see what happens
Cancel
Vote Up 0 Vote Down

Cancel