Hello,
we've found marvelous Talos work done on CCleaner, again respect for State of Art discovery - (no irony - best part of AMP solution).
As an output, we got ClamAV signatures to detect this threat, all you need is to scan your infrastructure or wait for execution. Of course most of us, will choose preventive option.
Therefore I'd like to use this as the opportunity to discuss the solution of primary features, like regular full scans of the whole AMP infrastructure. E.g. in early nineties (irony) some security companies, previously handled by some hardware company, solve this issue by creating scans with randomize feature. Choose whatever you like period, and the scan will start randomly. This way, when the scan period occurs, when I can't work due to some heavy resources utilization, my desk friend can replace me (yes, heavy resource utilization is not an issue any more - but remember we're in 90's). What we've got, with the networking company that would like to be the security company some point in the future is "working as design" full scan feature. This feature allows AMP admin users to doom whole company running full scan for all possible workstations and servers at the same time - surely you can compare it to sake of security, ransomware - you pay and after some time your resources are unlocked. (Sure, we are covered by disclaimers stating this will happen)
And yes, true, I can create TAC to discover, that there is possibility to create some unlimited number of group of endpoints (to have every single second covered for given period) and then randomly move there endpoints - when working for big company there can be "randomizer engineer" hired to do the job.
But please "Cisco you're doing it wrong way!" - wake up before AMP/CTA will join other fantastic solutions killed when sold to some big name company.
Nat
