3 Replies Latest reply on Mar 14, 2013 11:35 AM by nicole pauls

    Virus Attacks

    zmilbach

      Was going through the rules and was wondering if anyone actually got this working and how they went about getting it to work?

       

      -Zach

        • Re: Virus Attacks
          nicole pauls

          Are you looking at the library rules? Which one? There's a few malware-related rules (AV Update Failure, Virus Attack - Bad State, Worm Activity).

            • Re: Virus Attacks
              zmilbach

              I'm looking under "Default Rules" --> Generic Alert Folder --> SecurityAlert folder --> Attack Behavior Folder --> Resource Attack Folder --> Service Process Attack folder. Then in that folder there is a list of VirusAttack rules. Such as VirusAttack, VirusAttack Cleaned, Virus Summary Attack, etc.

                • Re: Virus Attacks
                  nicole pauls

                  Got it.

                   

                  Basically, those rules just look for the presence of that type of event, then trigger (as long as you add an action). Assuming your AV is reporting events to LEM, when a virus is detected you should be able to use those rules to be informed about those events (or respond).

                   

                  VirusAttack: used when a virus is detected on a system by AV. The "Action Taken" field tells you whether the virus was Cleaned, Quarantined, Left Alone, Deleted, or if we couldn't tell.

                   

                  VirusSummaryAttack: some AVs generate a scan result report that tells you a summary of the scan results, including the number of viruses found. If a virus was found during a scan, this event will be triggered.

                   

                  When using one of these rules, you'll at least have to Clone, add an Action to the rule, and then activate your changes.