ICS Malware

The folders that ICS applications are installed in are usually configured as exclusions to anti-virus scanning.

In some cases, the almost constant updating of the ICS data files leads to unacceptable performance if subjected to anti-virus protection. In other cases the vendor chose to avoid a potential, yet unseen problem.

To make this problem worse, the permissions on the ICS application folders are typically far from least privilege. Full Control for Everyone is not unusual for a default install. Folder permissions was an area we spent a lot of time with ICS vendors in developing the Bandolier Security Audit Files. They can be locked down, but rarely are.

We have not yet seen mass market malware seek out ICS application folders that were typically excluded from anti-virus scanning. However, a directed attacker might put his malware in these folders to prevent getting detected by a future signature.