1.      Introduction

Most of the malware uses similar methods to infect computers. Most commons are, creating service, creating schedule task, creating autorun entry to start with system startup, creating process, opening unusual/unexpected TCP ports and creating driver to hide itself. So, monitoring these entries are an important part of a security check. But monitoring is not enough task to identify anomalies. You need to compare findings with trusted entries to find potential anomalies.

Trusted lists are used for identifying potential malware activities from your environment. NetCyte NAC system is come with predefined trust generic trust lists and updated regularly. But, fine-tuning this list according to your environment is an important task to identify malware activities.  

2.      Windows Malware Analysis.

Windows  Malware  Analysis menu is used for visualising as well as updating potential malware activities in your environment. It uses Windows Service Inventory, Windows Process Inventory, Windows Autorun Inventory, Windows Scheduled Task inventory, Windows TCP Listening Port Inventory, Windows Driver Analysis Inventory and Antivirus Analysis Inventory Policy rules findings to analyse anomalies in your network. All but last one, Antivirus Analysis, use Trusted List for analysis.

In this screen shows the distribution of untrusted entries by graph for each type of Inventory Analysis. By default, because of generic trusted entries, you may see the so much entries. To fine-tune the analysis according to your environment you need to update “Trusted Lists”

a.      Modifying  Trusted Lists

If you add an entry to one of the trusted list, the system automatically updates analysis and removes from the graph.  On top of the Windows Malware Screen, you can see the additional tabs for editing trusted list

Select the list you want to edit from the tab as shown above. For example, editing the trusted list for Process select Untrusted Process Analysis.

Under the tab, you can see the untrusted Process List as well as Trusted List. Untrusted Process shows the last seen time (Date Time) of process, Process Name (Name), Process Path (Data), the hostname of the computer on which process is running.

There are two options for adding any entry to Trust List

1.       Using   icon: This option directly adds the Process name and Process path to the Trusted list as shown in the entries. System Does not ask any modification

2.       Using   icon:  This option allows you to make changes process name as well as process path before adding to Trust List as shown below

These are adding entries from adding existing information which is collected from Inventory Analysis Policies.

You can add/remove entries manually by navigating to Trusted List entries on the same screen.

You can add new entries by using the “Add Trusted Process” button. You need to provide the Process name, and Process Path. Risk Level of the trusted process is always 0.

To modify or remove existing entries from Trusted List select modify options on the right side of each entry. If you remove the entry from this list, it will be considered as potentially dangerous and reported under Untrusted entries.

Like Process List modifications,  all other options, Service, Autorun, Scheduled Tasks, TCP Listening Ports and  Windows Drivers process is the same. Go to related Untrusted/Trusted list and edit entries based on your environment requirements and create own Trust List to identify anomalies on your client or Windows devices.