Another day, another exploit stopped

Yet again, multiple defenses were necessary to stop a modern threat.  A customer of ours triggered two alerts; one from the anti-virus software in use and another from the firewall.  At first blush it appeared both were detecting the same thing but investigation revealed otherwise.

The antivirus software detected a virus threat in a word document the end user received in email.  Keep in mind, email is sent through 3 AV filters and the SPAM filter before the user is allowed to access the message, none of them detected anything malicious.  Neither did the in-built filtering in the mail platform. Only when the user attempted to open the file was anything malicious detected.

The user thought they were opening another in a string of resume's for an open position.  When they opened the document, it suddenly closed and prompted to notify them of the action of the Antivirus software.  The antivirus software closed the executable (winword.exe) and deleted the malicious file. The user contacted IT and the machine was removed from service for investigation.

On review of the firewall logs we saw a different malware detected, but the detection was on an inbound download stream which was blocked, the IP noted indicated it was the machine reporting virus activity, so how did the virus infected file land on the users PC to be detected if it was blocked?

Simple: the anti-virus detected item (that resume doc) was first detected before the virus alert from the firewall.  The file was opened, the macro embedded in the file was executed.  The AV software saw malicious behavior and dumped the file, but not before the PC had processed and sent the request for the malicious payload.  The payload attempting to download was the file blocked and alerted by the firewall. Without AV, the source of the attempted download might be unknown.  Without good edge filtering, the payload WOULD have made it to the computer regardless the actions of the AV software. 

SecurityTrenchesRay Wilkerson