LIBRARY MONITORING-RELATED INCIDENTS
-
Whenever a new, modified or hijacked library is detected in the configured process (other than the ones in the allowlist), VSP generates an incident. Navigate to Monitor > Incidents in the left navigation page
-
The incident has information related to the new library detected
-
Click Extended Properties tab to list all the related libraries
-
There are three types of library monitoring incidents reported by VSP:
-
New Library – In situations where a new library is detected other than the allowlisted libraries
-
Library Modified – In situations where a library is allowlisted, but a checksum mismatch is detected
-
Library Hijack – In situations where a library is allowlisted, but a path mismatch is detected
-
-
The below truth table describes various scenarios and the type of incidents reported
SL NO
Library Name
Library Path
Library Checksum
Incident Type
1
No Match
Match
Match
No Incident
2
No Match
Match
No Match
New Library
3
No Match
No Match
Match
No Incident
4
No Match
No Match
No Match
New Library
5
Match
Match
Match
No Incident
6
Match
Match
No Match
Library Modified
7
Match
No Match
Match
No Incident
8
Match
No Match
No Match
Library Hijack
Table - Library Incidents
-
Scriptless Operations
-
Parameters for script-less operations are monitored for any malicious activity and reported as incidents
-
-
Fileless attacks
-
Commands such as the one depicted below seem malicious and will not be executed if the Protect mode is selected
-
The first 10 characters of the executed command will be the same as the name of the detected library
-
-
File-based attacks
-
If a script is not allowlisted, it cannot be executed and an incident is reported
-
A pseudo-library is listed and can be added to the allowlist if required
-
If the script is modified after addition to the allowlist, the command is NOT executed since a change in the payload is detected
-
An incident is reported
-
If the file modifications are legitimate, the newly detected libraries can be added to the allowlist
-