<< PREVIOUS  NEXT >>

 

LIBRARY MONITORING-RELATED INCIDENTS

  1. Whenever a new, modified or hijacked library is detected in the configured process (other than the ones in the allowlist), VSP generates an incident. Navigate to Monitor > Incidents in the left navigation page

  2. The incident has information related to the new library detected

    Picture 1073742116

  3. Click Extended Properties tab to list all the related libraries

    Picture 1073742253

  4. There are three types of library monitoring incidents reported by VSP:

    1. New Library – In situations where a new library is detected other than the allowlisted libraries

    2. Library Modified – In situations where a library is allowlisted, but a checksum mismatch is detected

    3. Library Hijack – In situations where a library is allowlisted, but a path mismatch is detected

  5. The below truth table describes various scenarios and the type of incidents reported

     

    SL NO

    Library Name

    Library Path

    Library Checksum

    Incident Type

    1

    No Match

    Match

    Match

    New Library

    2

    No Match

    Match

    No Match

    New Library

    3

    No Match

    No Match

    Match

    New Library

    4

    No Match

    No Match

    No Match

    New Library

    5

    Match

    Match

    Match

    No Incident

    6

    Match

    Match

    No Match

    Library Modified

    7

    Match

    No Match

    Match

    Library Hijack

    8

    Match

    No Match

    No Match

    Library Hijack

     Table - Library Incidents

  6. Scriptless Operations

    1. Parameters for script-less operations are monitored for any malicious activity and reported as incidents

  7. Fileless attacks

    1. Commands such as the one depicted below seem malicious and will not be executed if the Protect mode is selected

      Picture 222

    2. The first 10 characters of the executed command will be the same as the name of the detected library

      Picture 1073741992

  8. File-based attacks

    1. If a script is not allowlisted, it cannot be executed and an incident is reported

    2. A pseudo-library is listed and can be added to the allowlist if required

    3. If the script is modified after addition to the allowlist, the command is NOT executed since a change in the payload is detected

      Picture 1073742013

    4. An incident is reported

    5. If the file modifications are legitimate, the newly detected libraries can be added to the allowlist

 

<< PREVIOUS NEXT >>