BeyondInsight Clarity Malware Analysis

Clarity Malware evaluates events from BeyondTrust solutions and determines if there are any risks or malware associated with the events. Any malware detected is populated in the Malware tab of the Assets page on the BeyondInsight management console.

Clarity Malware is disabled by default.

You can use the Clarity Malware Analysis tool to detect if any files are infected by malware or a virus. Two sources of data can be used to determine if malware is infecting files on your assets.

  • PowerBroker for Windows file hashes: Create a policy in PowerBroker for Windows and apply the policy to the assets.
  • Discovery Scanner scans: Only the Service and All Audits scans can be used with Clarity Malware. Create and run a scan using either the Service scan template or All Audits scan template

After you configure Clarity Malware and gather data, you can review the results on the Malware tab in the BeyondInsight management console.

Configure Clarity Malware

Allow up to 24 hours to pass before any data is populated in the BeyondInsight database.

  1. Select Configuration > Discovery and Vulnerability Management > Clarity Malware Options.
  2. Set the following:
    • Enable Clarity Malware Analysis: This controls whether or not Clarity Malware Analysis runs. The default setting is Yes. Setting it to No removes any previously detected malware from BeyondInsight and turns off analysis for future events.
    • Time to run: Sets the time of day at which you would like the Clarity Malware Analysis to run. The default value is 4 AM. The first query starts at 4 AM after you initially install BeyondInsight. To change the time collection occurs, enter the number of minutes past midnight that you want collection to occur.
    • Frequency to query: Sets the desired Clarity Malware Analysis run frequency. Each time Clarity Malware Analysis runs it analyzes the events that have occurred since the previous run time. The default is every 4 hours.
    • Alert level: Sets the minimum level required to trigger malware detection. This level comes from the Clarity Malware analysis. The lower the alert level, the more malware is flagged. The higher the alert level, the less malware is flagged. If unsure, start at a Medium level and adjust as needed.
  3. Click Update.

Review Malware Information and Reports

The Confidence Level can be one of the following values:

  • High
  • Medium
  • Low

The confidence level indicates the likelihood that the malware is a real threat to your environment. You can also use the Malware Report to view the information collected using Clarity Malware. You can review malware details by selecting an asset on the Assets page.

Use Reports to Analyze Results

You can use the Malware Report in the management console and the Clarity Reports in BeyondInsightAnalytics & Reporting to analyze the collected information.

A daily sync job must be run to retrieve data from the BeyondInsightAnalytics & Reporting database. The following reports in BeyondInsightAnalytics & Reporting provide Clarity Malware details.

In the chart area, each asset is displayed along with the total threat level and the severity level indicated by I (Info), L (Low), M (Medium), or H (High). The threat breakdown is presented in the lower section of the report. The Clarity Malware is indicated in red.

Click the Overall Threat Level link to view more information on the malware.

Event Review - Malware Report

Run the Event Review - Malware Report to view a list of assets and the malware detected on each asset.