Auditing Anti-virus Software without an Agent
Most enterprises are required to run some sort of Anti-virus (AV) software on all or a portion of their desktops and servers and report on the status of the deployment. This blog entry discusses some of the limits of self-reporting within an anti-virus application and how Nessus can help you detect systems that are not AV compliant.
Self Reporting with Anti-Virus Software
Enterprise versions of most anti-virus software typically include a central management console that enables the organization to track which systems have AV installed, the software version and the status of the AV signatures. What these products cannot do is tell administrators about the systems that it doesn't know about - those without AV installed at all.
From vendor to vendor, there is variation of the detection mechanism and how this information is reported. The central management console of each vendor may use different mechanisms to report if the anti-virus agent software is installed, if it is running and when the last time it had a signature update. Not displaying all of this information can provide a false sense of security that a host is indeed protected by some form of AV. In addition, this type of technology only reports on AV agents from that specific vendor, ignoring mixed vendor environments.
Lastly, most anti-virus products can only report on systems they are installed on and not other nodes or systems in the network, which are not in the management system. Some agents do keep a list of Ethernet addresses that are unique, and then attempt to reconcile this list at the management console. This may help identify some nodes without anti-virus software, but it does not find all devices that have been filtered, are behind screening devices or that simply are not communicated with.
Performing an Audit with Nessus
Previous blog posts have discussed how a Nessus credentialed scan can be used to identify if common anti-virus software is installed, if it is running AND if their signatures are up to date. This blog was recently updated to reflect support for testing Sophos and Windows Live OneCare.
Clearly, there are several advantages to this approach.
- No need for an agent - Many organizations wish to avoid deploying more agents to their desktops and servers. Agent based solutions that can be used to audit installed software increase the complexity and potential attack space of a network. It also requires that third party visitors to the organization install an agent to ensure AV compliance. A Nessus credentialed audit does not require an agent to be installed on the target.
- Support for a heterogeneous environment Since Nessus is not dependent on a specific vendor's anti-virus technology, it can be used to identify deployed solutions in a multi-vendor environment, common to larger enterprises.
- Verification of signature updates - Nessus independently reports any discrepancies in signature updates, or if the anti-virus solution is installed, but not running.
- Validation of AV software - During the credentialed audit, Nessus will also test for the presence of anti-virus software that is vulnerable. There has been some discussion of this in recent blog postings about the increasing trend towards vulnerabilities contributed from anti-virus solutions. Nessus has checks for vulnerabilities in many host security agents including Symantec, Trend Micro, CA eTrust, Clam AV, NOD 32, Kaspersky, McAfee, F-PROT and Sophos.
Your organization is also likely deploying more than one technology (other than AV) to defeat the threat of virus outbreaks. Examples include system hardening, the use of desktop firewalls and having traffic flow through proxy servers. ProfessionalFeed users can make use of Nessus's ability to audit system configurations to ensure the following:
- The corporate authorized web browser is enabled and configured correctly
- Proxy settings are in effect to require web browsing to go through other forms of inspection
- The system itself has been hardened to limit the impact of a successful virus compromise
- The system is running the corporate standard(s) for Anti-virus software
For More Information
The following Tenable blog entries discuss virus discovery, anti-virus auditing and software discovery: