Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Malware Signature Updates

This report uses the information from the antimalware solution to display a list of the systems within the PCI environment that are updating their signatures appropriately. Use this report to identify systems that have not updated their malware signatures as required.

The best antimalware software has limited effectiveness if it does not have current signatures or if it is not active in the network or on an individual's computer. The PCI standard requires that the antimalware tools are current, which includes the signatures used to detect localized threats.

Relevant data sources

Relevant data sources for this report include endpoint signature version information (antivirus, HIPS, endpoint protection, and so on). This report looks at malware signature updates data produced by firewalls, routers, switches, and any other device configured to produce malware data.

How to configure this report

1. Index endpoint product version data from an antivirus software.

Note: Not all antivirus (AV) solutions provide this information in the log data.

2. Map the data to the following Common Information Model fields:

 signature_version, dest, vendor_product

3. Tag the malware signature data with endpoint, application, signature, and update.

Report description

The data in the Malware Signature Updates report is populated by a lookup against the malware_signature_update_tracker. This tracker is populated by the Malware Signature Update Tracker - Lookup Gen saved search.

Pci-malware signature updates.png

This search runs on an offset 20 minute cycle and looks at 20 minutes of data.

Schedule 10,30,50 * * * * Runs on a 20 minute offset window.
Report window -25m@m to -5m@m Looks at 20 minutes of data.

Note: The report window stops at 5 minutes ago because some data sources may not have provided complete data in a more recent time frame.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that data is present. tag=endpoint tag=application tag=signature tag=update Returns malware signature update activity data.
Verify that fields are normalized and available as expected. tag=endpoint tag=application tag=signature tag=update | table signature_version,dest,vendor_product Returns a table of malware signature update activity data.
Verify that the endpoint product signature tracker file has been populated as expected. | inputlookup append=T malware_signature_update_tracker
| `malware_signature_update_tracker`
Returns a table of the data in the endpoint product signature tracker file.

Additional information

  • The Access – All Authentication – Summary Gen is a post-process task. You can find the details of this search in the $SPLUNK_HOME/etc/apps/SA-AccessProtection/default/postprocess.conf file.
PREVIOUS
Malware Activity
  NEXT
Patch Service Status

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters