Microsoft Security Essentials¶
Microsoft Security Essentials - Virus detected, but unable to remove.¶
What does this rule mean?
Triggered when Microsoft Security Essentials was unable to remove a virus/malware, this rule should be acted upon quickly. This indicated that a virus/malware was detected, but for some reason was not successfully removed. This could be due to the virus preventing the anti-virus application from removing it. Alternatively, and more commonly, the anti-malware program may not have the right permissions to remove the malware.
As a side note, we do commonly see Microsoft SE trigger this rule when it did remove the malware successfully. We recommend always double checking manually and taking any action as needed.
Many attackers follow an attack with malware by installing a trojan, backdoor or, rootkit or RAT on your server. This is high on an attackers priority list. Should they be discovered, and the exploits patched, the installed backdoor could allow the attacker to regain access to your server, potentially bypassing authentication and security auditing techniques.
What triggers this rule?
One of the most common triggers for this rule is unwanted software that is installed along with third-party applications, ranging from third-party Tool Bars to viruses like the infamous PCOptimiserPro Trojan. This rule can also be triggered by legitimate software. This can happen when Windows doesn’t recognise an application or the software acts in a similar way to a virus (such as installing updates by connecting to an external IP in an obscure way.
Additionally, malware may have infected the system from other sources, such as through a malicious email or suspicious file downloaded by a user or system administrator. After the initial malware event has been dealt with, the Threat Monitoring team is on hand to provide support when investigating further into the origins of malware.
What action do I need to take?
As a first responder, you should log into the server in question to determine whether the file in question was deleted by the anti-virus software. If it was successfully removed, we recommend manually running a system scan to check for any remnants of the malware. Should the malware be present on the system still, it should be removed, either through the anti-virus programs quarantine features or manually? Once this has been done another system scan should be run.
Multiple Microsoft Security Essentials AV warnings detected.¶
What does this rule mean?
Potentially indicating an outbreak, this rule is triggered when multiple anti-virus warning messages are triggered. This could mean that multiple instances of malware have been discovered, and further action may be needed. It’s common to see other rules trigger in addition to this, that may give further understanding of the nature of the malware. Nevertheless, we always recommend manually checking your anti-virus logs and status for information, and act accordingly.
Many attackers follow an attack with malware. Such as installing a trojan, backdoor or, rootkit or RAT on your server is high on an attackers priority list. Should they be discovered, and the exploits patched, this malware could allow the attacker to regain access to your server, potentially bypassing authentication and auditing techniques.
Outbreaks are common with more difficult malware. They’ll often replicate themselves, creating different signatures and changing their code in the progress in an attempt to become undetectable. This is called polymorphic malware and it’s incredibly difficult to discover and remove.
What triggers this rule?
One of the most common triggers for this rule is unwanted software that is installed along with third-party applications, ranging Tool Bars to viruses like the infamous PCOptimiserPro Trojan. This rule can also be triggered by legitimate software. This can happen when Windows doesn’t recognise an application or the software acts in a similar way to a virus (such as installing updates by connecting to an external IP in an obscure way.
Additionally, malware may have infected the system from other sources, like succeeding an attack, through a malicious email or suspicious file. After the initial malware event has been dealt with, the Threat Monitoring team is on hand to provide support when investigating further into the origins of malware.
What action do I need to take?
As a first responder, you should log into the server in question to determine whether the file in question was deleted by the anti-virus software. If it was successfully removed, we recommend manually running a system scan to check for any remnants of the malware. Should the malware be present on the system still, it should be removed, either through the anti-virus programs quarantine features or manually? Once this has been done another system scan should be run.