Problem solve Get help with specific problems with your technologies, process and projects.

How to detect malicious insiders by monitoring antivirus log files

Antivirus logs can be a low-cost, low-effort approach for resource-strapped companies to look for threats posed by malicious insiders.

It's a lamentable fact that insiders, typically employees, pose a significant risk to corporations. This risk doesn't...

have to come from a malicious insider; it can be unintentional. A few examples of malicious insider threats are the theft of trade secrets, such as those experienced by Ford and DuPont, and the sabotage of IT systems, such as those experienced by UBS and by the city of San Francisco. Protecting against and detecting these threats requires a variety of procedural and technical efforts. Monitoring antivirus log files is one low-effort approach midmarket companies can use to identify people doing bad things.

Antivirus log files can be a treasure trove of interesting information. Beyond the typical operational facts about your antivirus software, they can:

  • Associate computers to users.
  • Identify computers and users who have an abnormally high number of unique viruses, which could indicate high-risk computer habits.
  • Identify users with high risk malware, such as rootkits.
  • Identify suspicious file names and file paths associated with malware.

These last two items can provide exceptionally useful indicators of intentional employee misconduct.

Some antivirus products, for example, have a distinct "hacking tool" category for non-viral malicious software. These items include some of the tools that a wanna-be hacker is likely to possess. Some of that software is dual-purpose, with legitimate IT use and malicious use, so don't jump to conclusions based on category alone.

However, a rudimentary analysis of who possesses this software can be a useful starting point for internal investigations. A comparison of the list of these computers and associated users with job task information can improve their value significantly. An IT person with a port scanner may be perfectly normal, while a finance person with a port scanner is much less likely to be benign.

More threat management resources

Best email antivirus policy? Scan everything: Despite the performance hit, IT shops should scan all email messages. Shortcuts, such as skipping scans of image or audio files, may lead to virus infections.

Three ways to prioritize endpoint security over perimeter defenses: Midmarket organizations should prioritize endpoint security management over perimeter defenses.

Get more out of your security event log data: Your network has plenty to say about your organization's threat posture. These three tips will help you get the most out of security log management tools.

Since software such as keyloggers -- "hidden" monitoring software -- and rootkits are randomly downloaded from the Internet and likely to contain malware, there is a good chance that an inexperienced user who wants to find and install that malicious software is likely to get infected. Because of this, the names of the files and the folder structure they are found in are good indicators of intentional malicious behavior. If the antivirus software identifies a keylogger in "c:\windows" that computer is probably a victim. If, on the other hand, that same keylogger is found in "My Documents\mystuff\keyloggers", then you know the user of that computer intentionally obtained keylogger software. Given the low likelihood that a keylogger has a legitimate business use, that is a great indicator of a malicious insider. The same conclusion applies if the affected file is "".

The antivirus management software may not support the level of searching that you'll need, but most support some level of log export, allowing you to then use anything from Excel to a log management product to mine your antivirus logs.

Although it might seem "too easy" to find a disgruntled employee by looking for a file called "keylogger" on someone's desktop, it actually is an effective method. I have identified several employees at one client who had done exactly that. Software to covertly spy on computer users, creating screen captures and logging all emails, is another common type of unwanted software.

Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.

Send comments on this technical tip to [email protected]

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was last published in November 2009

Dig Deeper on Security awareness training and insider threats