Sophos Antivirus Root Cause Analysis tool

In the past, Antivirus software was relatively simple and did a decent job on preventing viruses and malware. We would also have to use a malware or rootkit removers just to be sure the remnants of the malware was removed. After a few hours, the user can get back on and continue working.

A malware breach such as Trojans or Ransomware is much more complex and damaging when executed. An event like this could bring the business to a halt in a matter of minutes. Trojans can spread through the network and steal personally identifiable information for customers as well as any credit card or bank information.

Today, we have several Antivirus tools that can find the root of the breach and can gather crucial details after the event. Sophos provides a tool called the Root Cause Analysis which does the following.

  • Determine what the name of the malicious file, the time of detection, and the device involved.
  • The name of the root application that is involved. Chrome/Outlook/Internet explorer are generally the culprits.
  • Recommends the next steps the engineer should take on the malware event.

For the example below. The user was using Chrome and clicked on a link that contained the virus Mal/GenA.

RCA also has a tab for artifacts which shows any business files that were touched, processes, and network connections.

We can now use the Visualize tab to determine the root cause and the beacon that got the file caught. The red dot is the root cause which was chrome.exe. The blue dot is the beacon which is coinhive.com. We now know that a link in a website was clicked on in Google Chrome and attempted to reach out to coinhive.com which was blocked since there is malware found on the site.

Finding out the infection source gives you direction into where you need to improve your security or if further staff training is required. Root Cause Analysis is a great tool to get insight into the breach and helps document the event for auditing.