Auditing Anti-Virus Configurations and Installations

Previous blogs have described how enterprise customers can use the Nessus Scanner with the Tenable ProfessionalFeed or Security Center to audit anti-virus software. Nessus has many different checks that audit systems to see if the anti-virus engine is installed, running and up to date. We’ve also described how this can be accomplished without adding an additional agent. Lastly, Nessus has many different checks that test for vulnerabilities in the actual anti-virus products themselves.

While this functionality addresses the needs of many of our customers, reporting requirements such as those in the PCI DSS have led to requests for more specific and “official” audits to simply detect if Symantec, McAfee or other common anti-virus software is present. Tenable has recently released several audit policies to look for the presence of common anti-virus products. This blog entry describes the use of these audit policies, how they can be analyzed and how these relate to a variety of compliance requirements.

Configuration Auditing Review

Tenable produces a wide variety of configuration auditing templates which can be uploaded to the Security Center or used with the NessusClient to perform analysis of Unix and Windows operating system settings. These files are called “audit” policies.

Many of Tenable’s audit policies are written with specific configuration requirements from compliance regulations and recommendations such as PCI, FDCC, NSA and CIS. Our CIS and FDCC technology has also been certified by the Center for Internet Security and a NIST certified vendor test lab. 

Below is a screen shot of the Tenable Support Portal, which offers various audit policies for download to Tenable customers:

You can see that the policies are organized with various certification and compliance bodies. For policies such as GLBA, SOX and HIPAA, there are currently no specific configuration guides but Tenable has helped many of our customers develop custom policies to use in their environments.

An entire section has been dedicated to auditing anti-virus products. Updates to the current available audit policies are announced through various RSS feeds which announce new product, log normalization, vulnerability, configuration, sensitive data and passive network monitoring rule updates.

Performing Anti-Virus Auditing

Several new audit policies are available to test for the presence of the following anti-virus technologies:

• Bitdefender
• ClamAV
• Kaspersky
• McAfee
• Norton
• Panda
• Sophos
• Symantec
• Trend Micro

Each technology has different combinations of running processes, registry settings and installation files. Tenable’s Research group has identified a variety of methods to reliably detect these different types of software in an enterprise environment and has used this information to write Nessus audit files.

Please keep in mind that over the past few years Tenable has increased the type of analysis that can be performed on anti-virus software:

• Nessus has always contained checks to look for vulnerable versions of anti-virus software.
• For the past few years, Nessus will generate an alert if it found an anti-virus software that was not running, was out of date or otherwise misconfigured

However, with these new anti-virus audit policies, organizations can choose a policy that reflects their requirement to run a specific technology.

Below are screen shots that show how these audits are run with the NessusClient and Security Center on various systems with various types of installed anti-virus technology: 

Panda AV Running	Symantec AV Not Running	McAfee AV Running

To perform these checks you need to download the audit policy for your organization’s anti-virus technology and then configure your NessusClient or Security Center with a scan policy. Configure the scan policy to specify the particular anti-virus audit file and the credentials for the target systems. Keep in mind that multiple audit policies can be run within the same scan policy on both the NessusClient and the Security Center. This could allow you to customize a scan that not only performed a patch audit, but also checked configurations against Center for Internet Security settings as well as to look for your current anti-virus software all at the same time.

Compliance and Governance Reporting

There are many different regulations that require organizations to run anti-virus software. Large organizations may have different technologies deployed in different locations, business units or IT assets. In these cases, tools like the Security Center help to perform a consistent audit against different components of the enterprise. This also makes it easier to identify enterprise-wide issues with the overall anti-virus deployment.

The following compliance standards specifically require anti-virus deployment and directly state that organizations need to demonstrate compliance with these requirements:

• PCI DSS is the most common commercial regulation that mandates anti-virus software on all systems that process cardholder data. Section 5.1 requires anti-virus to be deployed on all systems and section 5.2 requires that these systems be monitored to verify that they are running and generating logs. These new anti-virus audit policies make it very easy to demonstrate compliance with PCI DSS anti-virus reporting requirements. If the scans performing these audits are part of your daily or weekly operations, non-compliant systems can be detected very quickly.
• GLBA specifically states that remote users who commute over a VPN must have anti-virus protection installed. If these computers are part of a domain, they can be regularly scanned with credentialed checks with Nessus, even over a VPN.
• NIST special pub 800-53 (FISMA) section SI-3 specifically requires federal organizations to take measures to provide protection from malicious software. A comprehensive solution such as Tenable’s product suite can help demonstrate SI-3 compliance and also detect when zero-days and worms penetrate the anti-virus technology.
• COBIT section DS5.9 calls out a similar need for protecting the network from malicious software.
• NERC section R4 also calls for the use of anti-virus software on “critical cyber assets” used in the production of reliable electrical power.

Tenable offers the “Real-Time Compliance Monitoring” paper which provides much greater detail on how Tenable’s scanning, logging, configuration auditing and anomaly detection technologies map into the requirements of each of these regulations. We’ve also recently expanded and updated the coverage for PCI 1.2 in a separate “Real-Time PCI Compliance Monitoring” paper. Both of these can be requested from Tenable’s sales staff via email.

For More Information

Previous blogs on auditing anti-virus software with Nessus may be found at these links:

• Auditing Anti-virus Software without an Agent
• Auditing Anti-virus Software Products with Nessus

We have also talked about auditing the security of your anti-virus vendor, and how to analyze network traffic and logs to see if they have been targeted by botnets:

• Hunting Symantec Worms
• Detecting Compromised Windows Hosts

As always, if you want to learn more about Nessus and all of Tenable’s products and you don’t have a lot of time, we’ve prepared several informative product demonstration videos.