I need a solution
I would like to to understand best practice for addressing malware in file sync directories (c:\windows\CSC\*)? That’s the reason for at least one of the top-offenders being listed: malware is getting discovered and deleted but then synced back again. While yes the files are being deleted, it’s just unnecessary event noise and it skews the stats.
Here are some examples that we are seeing in SPLUNK
RiskIncident | sepm_type | process | hash_last8 | actual_action | status | Latest | count |
DFWLW766TGRY1 (jgilberti): Trojan.Gen.2 | Client | C:\Windows\CSC\v2.0.6\namespace\FADA1SFS07\Users$\jgilberti\Projects\FileZilla.exe | 421A2CA3 | Deleted | blocked | 05/13/16 06:50:18 | 1 |
wi1lt-jmal (jmalinosky): PUA.InstallCore | Client | C:\Windows\CSC\v2.0.6\namespace\wix1data01.mscorp.com\vol_users$\ISC\jmalinosky\Documents\pdfmerge_setup1(1).exe | CF16DF91 | Deleted | blocked | 05/12/16 23:48:18 | 1 |
0