3 Replies Latest reply on Sep 6, 2010 8:18 PM by obelicks

    NSP Virus Coverage

    gooru4speed

      I think NSP is not intended to virus detection but according to my work in field experience with 5.1 version I saw many times virus detection events in the Threat Analyzer. Now with the integration of Artemis it is supposed to detect Malware over HTTP traffic.

       

      The question is: what is the virus/malware library NSP can detect with and without Artemis?

        • 1. Re: NSP Virus Coverage
          hschupp

          Good day -

           

          The Network Security Platform is still does not act like nor detect virus activity like an AV product does.

          What the sensor will detect are activities (use of certain or combined exploit attempts, scans, communications, etc) that are indicative of malicious activity.  There are some very well-known and/or unique combinations that have been 'labelled' as a particular type of virus in the names of the alerts but even these are simply saying that "this activity seen is highly indicative of a "Code Red, or "Nimda" , etc.  While there are some that can be strictly tied to a particular virus, worm, or trojan....primarily the Sensor is detecting the ACTIVITY of those rather than the malicious exectable itself.

           

          This is valuable and USABLE information in stopping the initial infection and in halting the spread of the virus since we stop its activies on the network.  But in most case we are detecting and stopping the activity rather than the infection itself.

           

          As for Malware (Artemis) ... it works by comparing attachments in the traffic and whenever it sees a file being downloaded it takes a hash of the file and compares it to a library of previously known/suspect malicious files that have been recorded into the Artemis cloud.  If the file matches a hash for another file in the Artemis cloud it will simply drop the attachments.  Artemis is large and has so many feeds that once a file anywhere has been identified as malicious and has been added to the Artimis "DB" it will then response with that information to any other client sending that hash.  This is a constantly live update and there is no "list" - and would consists of millions of hashes if there were.

           

          If you wish to find a list of the signatures that deal with Virus, Trojan, BOT, Exploit, and Backdoor activity then open up the All-Inclusive with Audit policy and go to advanced search.  Search for thos exact terms and you will find a little over 300 related signatures.

          • 2. Re: NSP Virus Coverage

            I think most related is signature start with WORM:

             

            other are signature to detect network payload vulnerability that can potentially caused by virus worm etc.

            • 3. Re: NSP Virus Coverage
              hschupp

              I agree with that.  I left out the search term of "Worm" which is what takes the count to a bit over 300.