It's a lamentable fact that insiders, typically employees, pose a significant risk to corporations. This risk doesn't have to come from a malicious insider;
Antivirus log files can be a treasure trove of interesting information. Beyond the typical operational facts about your antivirus software, they can:
- Associate computers to users.
- Identify computers and users who have an abnormally high number of unique viruses, which could indicate high-risk computer habits.
- Identify users with high risk malware, such as rootkits.
- Identify suspicious file names and file paths associated with malware.
These last two items can provide exceptionally useful indicators of intentional employee misconduct.
Some antivirus products, for example, have a distinct "hacking tool" category for non-viral malicious software. These items include some of the tools that a wanna-be hacker is likely to possess. Some of that software is dual-purpose, with legitimate IT use and malicious use, so don't jump to conclusions based on category alone.
However, a rudimentary analysis of who possesses this software can be a useful starting point for internal investigations. A comparison of the list of these computers and associated users with job task information can improve their value significantly. An IT person with a port scanner may be perfectly normal, while a finance person with a port scanner is much less likely to be benign.
Since software such as keyloggers -- "hidden" monitoring software -- and rootkits are randomly downloaded from the Internet and likely to contain malware, there is a good chance that an inexperienced user who wants to find and install that malicious software is likely to get infected. Because of this, the names of the files and the folder structure they are found in are good indicators of intentional malicious behavior. If the antivirus software identifies a keylogger in "c:\windows" that computer is probably a victim. If, on the other hand, that same keylogger is found in "My Documents\mystuff\keyloggers", then you know the user of that computer intentionally obtained keylogger software. Given the low likelihood that a keylogger has a legitimate business use, that is a great indicator of a malicious insider. The same conclusion applies if the affected file is "keylogger.zip".
The antivirus management software may not support the level of searching that you'll need, but most support some level of log export, allowing you to then use anything from Excel to a log management product to mine your antivirus logs.
Although it might seem "too easy" to find a disgruntled employee by looking for a file called "keylogger" on someone's desktop, it actually is an effective method. I have identified several employees at one client who had done exactly that. Software to covertly spy on computer users, creating screen captures and logging all emails, is another common type of unwanted software.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send comments on this technical tip to firstname.lastname@example.org
This was first published in November 2009