Malware sending CEF Alerts with number preceeding filename

Document created by RSA Admin Employee on Dec 3, 2015
Version 1Show Document
  • View in full screen mode

When the malware appliance is configured for CEF alerting the filename will be preceeded by a number indiicating the position in the session.

 

For example and email my contain multiple attachments file1.txt, file2.txt file3.txt etc.

If malware is detected these will be sent via CEF with filename  1.file1.txt, 2.file2.txt 3.file3.txt

 

This LUA parser converts the filename back to the original!

Attachments

Outcomes