Time table of A/V logs ordered by detect method colored by malware over time.

Time table of A/V logs ordered by detect method colored by malware over time.

I used a perl script to convert syslog Symantec A/V logs to CSV files and loaded the data into Advizor Analyst. This type of graph shows interesting re-infection patterns for individual hosts (horizontal lines), signature updates following malware blooms (vertical patterns with the same colors) as well as others.

Graph Interpretation

This is a great use-case. Could you tell us what you mapped on the y-axis and what does color encode? Can you say more about those four vertical lines in the middle also? Are those the AV signature updates? Also, is there some immediate action that you were able to derive from looking at this?

Thanks for submitting. This is the kind of use-cases we need!

Addtional details

The y-axis is a list of all infected machines so each horizontal line is a single system (Hostnames clipped for anonymity). The color coding is based on the name of the malware with similar names having similar colors on the pallet. Analysis of the four solid verticals outside of the weekly schedule scan pattern (the consistent vertical pattern across all the plots) were four different outbreaks of a network scanner where signature updates were loaded across all systems and the IPS started detecting and blocking immediately. The analysis was done to evaluate the effectiveness of an A/V deployment. The initial impact was a clear determination that the A/V system needed some attention and over time, the analysis was used to re-enforce the value of enabling additional options in the A/V system. Ongoing analysis shows the tempo of malware detects and changes to the A/V environment.