I am looking for some advice regarding the malware detecting capabilities of SEM. I am trying to test out how well it can detect some different malicious programs that may makes their way onto end devices such as Trojans, RATs or Worms.
I have an environment set up locally with multiple Windows 10 end devices and a SolarWinds server running on ESXI. All end device successfully connect to and send events to the SEM however when I put malicious .exe files onto a host device then run then the SEM shows no signs of detecting these or what they are doing
They are detected and quarantined by Windows Defender but when that is turned off temporarily to test the SEM abilities it does not show any threat events.
From what I have seen, I believe I need to set up specific rules for it to report these events but am un-sure how these rules should be structured or set up to detect and report or prevent these applications/programs.
Any assistance is appreciated.
SEM isn't a malware prevention software... it's a SIEM. It's made to take and correlate all of your security event sources and make sense of all the data. If you have SEP, McAfee, or other software SEM can monitor the status of the nodes by using it's connectors to log data about all of these connectors. It can correlate the data from disparate sources and help make sense of it. It's not a replacement for end point AV or anti malware software.
I am having an issue where the local Microsoft Windows Defender is finding the virus, using the Eicar test file and removing it.
However SEM is not showing any event, it is showing other events from that computer like logon/logoff so it is reporting.
I found Windows defender listed as being supported but still nothing
I guess I will open a ticket and see what happens
I'm not sure on what kind of budget your company has but if you are relying on Windows Defender for malware protection and you want to be able to monitor it I would highly recommend Window Defender ATP. Its not cheap but its an excellent option for any company that needs to meet regulated IT security requirements. ATP also allows you to forward to your syslog server but I wouldn't recommend that unless you were hosting your Solarwind SEM in Azure (otherwise you would be sending you syslog data over the public internet)
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.