We produce unwanted software detections primarily because they are indicators of vulnerable system or network configurations. Further, unwanted software almost always arrives as a result of improperly sourced software installed by an end user, and thus its presence indicates that end users have both the technical means and the willingness to execute untrusted code. Why is this so important?
When it comes to preventing endpoint compromise, execution is execution. If the user is able to download and install a version of Firefox bundled with adware, there is a userspace execution problem at a minimum. In particular, execution from temporary or download directories is permitted. If the organization utilizes a proxy server or web content filtering mechanism, this may indicate a failure of that safeguard as well. The result is that any web page delivering an executable file may result in that file being executed, and untrusted code installed.
Similarly, if the user is able to receive via email and install a Caturday screensaver, the same classes of vulnerability exist. In this case, the organization’s mail gateway allows delivery of executable files and the mail client’s temporary directory allows execution.
Execution is execution.
As a defender or an effective information technology manager, the best safeguards are those that are both inexpensive and protect against broad classes of threats. Hunting for unwanted software is a cost-effective means of identifying control gaps that lead directly to execution of untrusted code via the most pervasive attack vectors, email and web browsers. And in most cases, closing these gaps through endpoint security policy or network-based filtering mechanisms are very affordable for organizations of all sizes.
We are on the endpoint where this class of threat is manifest, and are able to provide accurate unwanted software detections to our customers at little cost to all involved. As a result, we enable identification and remediation of these potentially impactful classes of vulnerability before they are realized in the context of an actual attack.
If you are interested in hearing more about Red Canary’s managed endpoint threat detection and response service, let us know and we can determine how we can help you.