Top 4 bad practices : Antivirus management

Streamscan regularly takes on Incident Response cases (ransomware, data exfiltration, fraud, etc.) and has given us some unique insight into antivirus management Don'ts. Read on to learn our TOP 4 Antivirus Don’ts.

Don’t: Assume your antivirus knows what to do and what to block

The file extensions most used by malware are known (.exe, .dll, .ps1, etc.) and the list is growing continuously. You have the possibility to configure your antivirus to block sharing of these types of files in your network, which will minimize the risk of introducing malware.

Unfortunately, we find that very often after the deployment of an antivirus, the list of blocked file extensions is not revised. Often, revisions are done only after a security incident. Best practice to update this list regularly

The alternative is to clearly identify a whitelist of allowed file extensions in your network (.dox/docx, xls, ppt, etc.) and block all other extensions.

Don’t: Omit to require a password to stop the antivirus

In several incidents we have handled, the hacker took control of the computer and shut down the antivirus before running the ransomware. Ironically, in many cases the antivirus had a signature to detect the ransomware concerned. One can imagine the pleasure a hacker takes when he finds out that he can stop the antivirus on a computer!

To avoid making it easier for hackers, require a password to disable antivirus protection on each computer and server in your network. Obviously, this password must be different from the one used to administer the computers.

Don’t: Ignore security events generated by antivirus software

It’s often assumed that antivirus software detects and blocks viruses and that you don't have to monitor it on a daily basis. However, like other security tools, antivirus software generates security alerts and events every time it detects potentially malicious tools, and can sometimes block them. In many cases, antivirus detects suspicious behavior that is a sign of major malicious activity brewing against you. The sooner you know this, the better.

In one incident, a Trojan was detected and blocked by the antivirus software installed on several computers in a network. A few days later, some of these computers were infected with ransomware. During the incident response, we determined the presence of the Trojan was part of the attack and the fact that it was detected on multiple computers should have alerted the organization's IT team to take action.

We recommend you centralize your antivirus security alerts and events and monitor them at regularly. Some antivirus products come with a management console that allows you to create notification rules for specific events. You can also send antivirus alerts to a security event management solution (SIEM) for centralized scanning.

Don’t: Skip weekly antivirus full scans

Very often, antivirus is deployed with default configurations and is considered to be working perfectly. This isn’t true. One of the best practices related to antivirus is to enable an automatic full scan that runs at least once a week, to make sure that no malicious tools are installed. Even if you have real-time protection of the antivirus it’s necessary. This weekly scan usually isn’t a default setting, so it’s up to you to set it up.

Make sure that before any full scan, the antivirus is updated with the latest version of the signature database available.

Is there a specific day of the week to run the weekly full scan? No. But, it is a good to run it a a low point in the duty cycle of the computer or server.

Need Help? StreamScan is Here.

Whether you need help conducting a security audit, developing a security plan, or implementing a Managed Detection and Response solution, StreamScan has experts with years of experience in the manufacturing sector who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.