Malware Signature Updates
This report uses the information from the antimalware solution to display a list of the systems within the PCI environment that are updating their signatures appropriately. Use this report to identify systems that have not updated their malware signatures as required.
The best antimalware software has limited effectiveness if it does not have current signatures or if it is not active in the network or on an individual's computer. The PCI standard requires that the antimalware tools are current, which includes the signatures used to detect localized threats.
Relevant data sources
Relevant data sources for this report include endpoint signature version information such as antivirus, endpoint protection, and others. This report looks at malware signature updates data produced by firewalls, routers, switches, and any other device configured to produce malware data.
How to configure this report
- Index endpoint product version data from an antivirus software.
- Not all antivirus (AV) solutions provide this information in the log data.
- Map the data to the following Common Information Model fields.
signature_version, dest, vendor_product
. CIM-compliant add-ons for these data sources perform this step for you. - Tag the malware signature data with "malware", and "operations".
Report description
The data in the Malware Signature Updates report is populated by a lookup against the malware_operations_tracker
CSV file. This tracker is populated by the Malware Operations Tracker - Lookup Gen
saved search. Review each lookup generating search to learn more about the search schedule and time range.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that data is present. | tag=malware tag=operations | Returns malware signature update activity data. |
Verify that fields are normalized and available as expected. | tag=malware tag=operations | table signature_version,dest,vendor_product | Returns a table of malware signature update activity data. |
Verify that the endpoint operations tracker file has been populated as expected. | | inputlookup append=T malware_operations_tracker | `malware_operations_tracker` |
Returns a table of the data in the endpoint product signature tracker file. |
Malware Activity | Update Service Status |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!