By Michael Aguilar, Business Product Technical Lead, ESET North America
In my role as a malware removal engineer at ESET, I've seen a plethora of issues plaguing computers. The most pressing problems I see are easily corrected simply by modifying a few less-than-ideal configuration choices. If you use ESET, please consider the following recommendations to protect yourself against the most pertinent threats, such as CryptoLocker and other unknown objects that can wreak havoc on your infrastructure and sanity when trying to remove them.
1. ESET LiveGrid
ESET LiveGrid® is our cloud protection module. It provides preventive protection against unknown threats; more can be read about the system in this KB article. Most likely, your LiveGrid® is on by default, and it should stay that way. The most common problem arises when someone sees the words “File Submission” and decides to turn off the whole module because he or she does not want data to leave the network. It is certainly true that data needs to be protected. That's why ESET designed the system in a way that allows users to turn off just the file submission module while leaving the protection module in place. If you need to verify that LiveGrid® is indeed working, use the CloudCar test referenced in the KB article above. Having LiveGrid on will reduce the number of unknown and difficult-to-detect objects, especially in relation to Filecoder (CryptoLocker) malware types.
HIPS, the Host Intrusion Prevention System that ESET carries, is another module that you should keep on in the ESET endpoint product line. It monitors file system activity for suspicious behaviors and stops those it locates. It uses either a rule set that is included at the time of install or one that can be created by the end user specifically to allow or deny certain items based on user environment. This module even carries a “learning” mode to help you tune it to your environment by letting it learn normal system behavior based on the time that you allow the learning mode to run.
Sometimes, users turn HIPS off because they find that it is blocking a piece of software that may be used in the infrastructure. While such blocks can certainly be annoying to deal with and may lead you to consider disabling HIPS, I strongly encourage you to resist this urge — if you leave the module turned on, you'll find that it delivers many more benefits than headaches.
3. Detection of Potentially Unwanted and Potentially Unsafe Applications
Detection of "malicious" software is a key feature of any antivirus software — but what about those annoying bits of software that zap time from your day as you remove them? I’m talking about the sort of software that redirects search results, adds advertisements to normal web pages, or causes your machine to talk or make sounds in the background. These programs are defined as “potentially unwanted applications.” They can include toolbars, add-ons, and other items that some people may use but that most tend to steer clear of due to the odd behavior/browser hijacks/re-directs that are so commonly encountered once the software is installed.
As you plan your antivirus deployment, do check your installed software to ensure that having the "Detection of Potentially Unwanted Applications" setting enabled will not cause headaches for your user base (for example, if they all use a smiley signature add-on that redirects search results to a lesser known search engine). Enabling this detection setting should save you time, as it will prevent you having to remove unwanted programs manually or to spend time trying to deduce why users’ search results and typed URLs are not actually connecting them to the desired or indicated destinations.
Another aspect of this recommendation is the detection of “Potentially Unsafe Applications.” "Potentially unsafe" items differ from “potentially unwanted" applications in that they are programs with potentially legitimate uses, such as password-cracking - and key-logging software. Depending on your situation, you may enable the "Potentially Unsafe Applications" detection setting by default, without any modifications, or you may tune the setting to ensure that this utility runs in a manner that's optimal for your organization.
4. Advanced Heuristics/DNA/Smart Signatures
With attack vectors constantly changing, antivirus software has to be agile enough to detect heavily obfuscated code in order to protect the system on which it’s installed. Though the code may be hidden, the underlying payloads have similar characteristics that become apparent once the code is de-obfuscated in operating memory or brought over to a machine. This is where having Advanced Heuristics and DNA Signatures enabled will help the most.
This utility does not look for the object itself, but rather for suspicious symptoms and behaviors, such as the accessing or modification of protected operating system files. Note that this setting is not enabled by default, and that this module may use more resources than a standard installation of ESET would. But I advise turning it on, as I haven't run into any issues stemming from enabling this setting, and I'd rather play it safe when it comes to avoiding infections!
5. Network Drive Scanning
While your endpoints and servers might have ESET installed on them, ensuring that the communications between clients and servers is secure is also critically important. On many sites from which I’ve removed malware, I've found that network drive scanning is disabled.
I understand that with antivirus software installed at both the endpoint and on the server, drive scanning may seem redundant on first glance. But the truth is that it does more than take a second look at files on a server from the endpoint. It can also help to block the sort of client-to-server communications (such as those associated with Filecoder-based infections) that occur on the endpoint and encrypt the files on the server due to the drive being mapped on the endpoint level. Having network drive scanning enabled should result in a reduction of Filecoder viruses encrypting network shares.
As viruses evolve and find new ways to poke holes in security, we must stay vigilant and adapt to the ever-changing threat topography. While I’ve listed only five suggestions here, they can add an immense amount of protection for relatively little cost in effort or system resources.
Check out our webinar on 5 ways to do more with ESET Remote Administrator.
Michael Aguilar is a business product technical lead at ESET North America. He is studying for the CISSP exam and has a Security+ certification as well as a Usable Security certification from the University of Maryland Cybersecurity Center via Coursera.org. He is currently responsible for working with large-scale clients for ESET North America and works with ESET developers, QA, and support engineers to resolve issues with clients in a quick and effective manner. Michael is active on Spiceworks and various security forums looking at new threat vectors and the best controls to mitigate those risks.