larryh/corso
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
corso/website/blog/2023-04-08-malware.md
Nočnica Mellifera 4eef3d3703
Correct malware blog's slug (#3046) 
<!-- PR description-->

---

#### Does this PR need a docs update or release note?

- [ ]  Yes, it's included
- [ ] 🕐 Yes, but in a later PR
- [ ]  No

#### Type of change

<!--- Please check the type of change your PR introduces: --->
- [ ] 🌻 Feature
- [ ] 🐛 Bugfix
- [ ] 🗺️ Documentation
- [ ] 🤖 Supportability/Tests
- [ ] 💻 CI/Deployment
- [ ] 🧹 Tech Debt/Cleanup

#### Issue(s)

<!-- Can reference multiple issues. Use one of the following "magic words" - "closes, fixes" to auto-close the Github issue. -->
* #<issue>

#### Test Plan

<!-- How will this be tested prior to merging.-->
- [ ] 💪 Manual
- [ ]  Unit test
- [ ] 💚 E2E
2023-04-11 17:30:48 +00:00

112 lines
5.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
slug: microsoft-365-malware-detection-and-your-responsibilities
title: "Microsoft 365, Malware 👾, and your responsibilities"
description: "When we evaluate malware threats, we often think mainly of protecting our users.
The biggest concern is always going to be lost availability and leaked data if
malware affects our system. But like any threat with an infection model, part of
the story is about your responsibilities as an operations engineer to keep
others safe."
authors: nica
tags: [corso, microsoft 365, backups, security, malware]
date: 2023-04-08
image: ./images/invaders.png
---
![a clone of the game 'space invaders' Cover image By Lee Robinson - https://github.com/leerob/space-invaders, MIT, https://commons.wikimedia.org/w/index.php?curid=127314893](./images/invaders.png)
When we evaluate malware threats, we often think mainly of protecting our users.
The biggest concern is always going to be lost availability and leaked data if
malware affects our system. But like any threat with an infection model, part of
the story is about your responsibilities as an operations engineer to keep
others safe.
<!-- truncate -->
## Microsoft-hosted Malware
Research earlier in 2023 showed that Microsoft OneDrive was
[host to about 30% of all malware](https://www.cybertalk.org/2023/01/27/do-you-use-onedrive-or-google-drive-watch-out-for-this-malware/).
OneDrive is a popular platform for hosting malware because the malicious actor
can get a legitimate looking URL that will increase the chance of their payload
being downloaded or executed.
This malware hosting is usually done on accounts created by malicious actors,
but it's even more effective if a compromised account within a legitimate
organization can be used
The responsibility for addressing this issue lies more with administrators than
with Microsoft.
Data on OneDrive is customer data and it will be intrusive and disruptive
for Microsoft to automatically start taking down files.
Anyone running OneDrive and SharePoint should take measures to detect and remove
malware - to protect their own users and the broader community.
If you accept that as Microsoft 365 and OneDrive user you should be
part of the solution, how can you take a stand against malware?
## Scan for Malware
Sophisticated malware is difficult to engineer. Threats like BazarLoader, which
use a Trojan horse to create an ISO which waits for the user to open an
innocent-looking Documents folder, arent being developed from scratch every
day. Therefore, its possible to scan for malware and find most threats before
they affect large numbers of systems.
While there are a number of tools to scan backups, attachments, and other file
locations, Im pleased to say that Corso has implemented
[malware scanning for your backups as of V0.5.0](https://github.com/alcionai/corso/releases/tag/v0.5.0).
Corso aims to prevent content already flagged as malware from making it in your
backups. Since Corso is free and open-source, admins can take advantage of this
and take action (for example delete, extract for forensic analysis) against files
flagged by Corso.
## See it in Action: Create a Malware-Free Backup with Corso
We hope that the first time you use a tool like Corso to scan your backups, you will
have no malware detected. This however begs the question: how do we know its
working?
Good news: there are long-standing resources to grab known bad files that
should set off any malware or virus scanner. The European Institute for Computer
Anti-Virus Research (EICAR) have made such a file available. With this rather
choice paragraph about why a non-virus known bad file is useful for security
practices:
> Using real viruses for testing in the real world is rather like setting fire
> to the dustbin in your office to see whether the smoke detector is working.
> Such a test will give meaningful results, but with unappealing, unacceptable
> risks.
Download the EICAR test file here. Any scanner worth its salt will alert on at
least the first two versions of the file (`eicar.com` and `eicar.com.txt`) and
*should* notice malware inside a .zip as well. When using Corso with any of
these files, the feedback is quite clear:
![Corso giving feedback](./images/malware1.png)
Any detected files will be listed as 'skipped' and the rest of the backup will complete as normal.
## What to do when Corso Detects Malware
Files that Corso detects as malware will be skipped from backups, but you should
take steps to delete these files and do some analysis of their source within
your OneDrive instance. When Corso detects malware, it will log the fact
(Corsos log location is displayed when the CLI runs).
![Image of Corso logging errors and exceptions, with one item of malware detected](./images/malware2.png)
Lines for detected malware will show up marked as `malware detected` and will even have a `malware_description` parameter.
## Monitor for new reports
The landscape for malware is shifting, and its vital you stay on top of new reports. Three sources of updates Id recommend:
<!-- vale Vale.Spelling = NO -->
- [Microsofts Vulnerabilities Registry](https://msrc.microsoft.com/update-guide/vulnerability)
- [The Malwarebytes blog](https://www.malwarebytes.com/blog)
- [The Registers tech news](https://www.theregister.com/), for a more industry-wide view of trends and major issues
<!-- vale Vale.Spelling = YES -->
If you keep these practices in place in your organization, not only are you less
likely to suffer from malware attacks, but the danger of your playing host to
malicious files and attacks on others will be greatly reduced!
Reference in New Issue View Git Blame Copy Permalink