Detecting Known Malware Processes Using Nessus
Keeping Malware in Check
A limitation of anti-virus (AV) agents is they often do not evaluate the entire known malware sample found running on a system. Polymorphic and mutating viruses make it possible for one AV vendor to detect a malicious sample and another to completely miss it. It's not feasible to run every AV program available on the market today in your network to make up for gaps in coverage. Nessus already helps you with malware detection, for example:
- Nessus reports if the scanned host is on a known botnet list, communicating with a known botnet IP, or hosting malicious content associated with botnet propagation.
- Nessus audits your anti-virus agent by reporting if it’s misconfigured or has out-of-date rules.
Tenable's research team recently added new functionality to Nessus which will detect known malware running on your Windows scan targets. Below is an overview of how this new feature works:
- Nessus authenticates to the Windows system.
- Nessus enumerates the list of running processes on the system.
- For each process, a cryptographic hash is generated and looked up against Tenable's cloud-based database
- If the process is found to be malicious, the plugin logs the results with information about the malware found.
You can watch a short video on how to configure and run this plugin below:
Plugin Output & Reference Web Pages
If you are already running credentialed scans against Windows targets, ensure that plugin #59275 "Malicious Process Detection" is enabled. The results will appear with a "High" severity rating as follows:
You will notice several interesting things in the above plugin output. First, the MD5 checksum of the malicious process is listed as matching known malware. The file path on the system where the malware resides is listed next, along with the Process ID (PID) of the process when the scanned was performed. An abbreviated list of AV products that consider the file identified to be malware comes next, including a report of how many AV vendors in total believed it was malware and the total number of sources.
A URL is provided to learn more about the malware identified. If you visit the URL in the plugin output, you will see something similar to the page below:
For this example, I've used WinArpAttacker to trigger the malicious process detection (to avoid having to infect my systems with "real" malware). The above report provides some useful information, including how often this malware is detected (84% in the case of WinArpAttacker) and a list of each AV vendor's name for it (Example, and my favorite, Sunbelt calls it "HackTool.Win32.ArpAttacker.3020 (not malicious)").
In order for the Malicious Process Detection plugin to run properly, the following requirements must be met:
- Credentials for scanning a Windows target with Nessus
- The ability for the Nessus scanner to perform DNS lookups to the Internet
It should be noted that this plugin is not a replacement for AV software. Nessus only checks the running processes at the time of the scan, whereas an AV product can detect file system writes and executions, plus attempt to prevent infection in near real time. However, this new functionality in Nessus adds the ability to check your systems running processes against 25 AV products, without having to run them all on your network and systems.