Sifting through the logs of my HIPS software this morning revealed an odd application on one of my hosts trying to get out to the Internet.

The file ‘C:\windows\system32\svohost.exe” is associated with a couple of different trojans but our AV software wasn’t picking it up as anything malicious so I uploaded it to VirusTotal.com and had it scanned by 26 different AV engines. Only a five of which detected anything malicious.

This incident goes to show that you still need defense in depth. You need multiple layers of protection that each detect different behaviors. Having McAffee and Symantec installed at the same time isn’t defense in depth and in this case neither detected the trojan anyway. Had we not been running HIPS, this trojan would have continued to function on this host without our knowledge, which could lead to a serious leak of proprietary information or trade secrets, either of which could potentially damage our company.

Also, the trojan was trying to communicate with the Internet via port 80, which our firewalls allow. Firewalls aren’t smart enough to scrutinize traffic based on any application-layer information or any information in the payload of a packet. So again, without the HIPS blocking this suspicious behavior, the trojan’s communication channel would have succeeded. Not to mention the fact that the compromised host was a laptop. Any time laptops are outside the enterprise network, they are exposed to greater risk because you remove the protection provided by the enterprise firewalls, IPS units, etc.