For me, I've always leaned towards a shotgun approach to fixing malware related issues. When I held helpdesk-type responsibilities and was faced an infected machine, I typically used four to five different anti-malware tools to clean up the machine, which worked the majority of the time. If I couldn't fix it in 30- to 45 minutes, it was time to rebuild it. These days, I'm more of the mindset that nearly every infection needs to be rebuilt because it's gotten harder to catch every little piece of malware dropped on a system and repair it in a reasonable amount of time.
Besides having procedures in place to rebuild systems quickly, what measures can you take to identify infected systems that AV hasn't detected yet? I've found that the Emerging Threats community has done a phenomenal job and detecting problems. Even though the malware may have been repacked or morphed slightly so local AV is blind, it is still using the same network protocols that can be detected via IDS. I highly recommend checking out their signatures if you use Snort or some Snort-based IDS/IPS.
Another useful tool I've been leveraging lately is blacklists provided by various reputable groups. The lists consist of known malicious IPs that have been identified as attackers, servers hosting malware, or C&C's (command and control servers). Tenable has a blog entry about using blacklists and links to several good lists worth reviewing. If your IDS supports adding custom rules, I recommend testing some of those lists and setting the IDS to record some of the traffic it sees to those hosts. Then, review the data and see if you've found infected machines missed by AV. I'll bet you do. Just beware of false positives because sometimes blacklists aren't vetted as well as they should be.
I hate to beat the "defense in depth" drum because it's been overused a bit in years past, but it's true. Layered security is a must when it comes to fighting malware. AV isn't enough, so we need to supplement our defenses with other measures like the Emerging Threats ruleset and blacklists. Give them a shot and let me know how it worked out for you.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.