If there is anything to be learned from the continued security breaches and cyber attacks that we’ve witnessed this year is that companies must have a good incident response plan in place and be prepared to deal with advanced threats and malware.During a network security assessment, you may discover malware or other suspected code. You should have an incident response plan that addresses how you will handle these situations. If you’re only using one antivirus such as McAfee to scan for malware, you may be missing a lot.One quick way to get a better idea of what you’re dealing with is by using several public antivirus scanners.Public antivirus scanners allow you to submit the suspected malware to many different antivirus services. One such service is offered by VirusTotal.com. The VirusTotal website permits you to upload files via clear text, SSL, or you can upload files via Windows explorer. Submitted files are scanned by 40 different anti-virus products. If you’re looking for a second opinion, you can also submit the potentially malicious code or application to Jotti.org; their services scan against 20 antivirus programs.
If you decide to execute the program in a safe environment, your best option is a sandbox. A sandbox is a stand-alone environment that allows you to safely view or execute the program while keeping it contained. A good example of one such sandbox service is ThreatExpert.
ThreatExpert executes files in a virtual environment much like VMware and Virtual PC. This great tool tracks changes made to the file system, registry, memory, and network. ThreatExpert even uses API hooks that intercept the malware’s interactions in real-time.
While many corporations are worried about the flawed MacAfee update killing Windows XP computers worldwide, I would suggest anyone interested in cyber security start looking closer at the suspected programs they find running on their computer systems. Analyze these files by submitting them to more than one virus scanner and learn more about them by using a sandbox. Don’t execute the program on an unprotected system!