Plugin Updates: Malicious Process & Botnet Detection

Malicious Process Detection Updates

A short time ago, Tenable released a new plugin to perform Malicious Process Detection (plugin ID 59275). Originally, it identified all possible malicious processes and reported the risk level as "High." This has now been split into two plugins; the original plugin that detects processes as malware which now uses the risk level of "critical," and a new plugin titled Malicious Process Detection: Potentially Unwanted Software (plugin ID 59641):

Maliciousprocess new sm
Click for larger image

The difference between the two plugins is the intent of the malicious software. For example, "Netcat" is a popular tool that can be used for network troubleshooting or by attackers for "evil" purposes such as backdoors. These two separate malware plugins will allow customers to more easily differentiate between policy violations and systems that are infected with malware unmistakable for any legitimate program.

Inbound & Outbound Botnet Detection

The botnet database-checking plugin now differentiates between outbound and inbound connections associated with botnet activity:

Often times, a busy email server or Skype user will trigger plugin 59713, meaning a host participating in a botnet is connecting to one of your systems. While this behavior may be suspicious, it is not a definitive indication that your system is compromised. For this reason, plugin 59713 is classified as risk factor of "none." However, if a system in your environment has an outbound connection to a host known to be participating in a botnet, this can be a strong indication of being compromised (therefore earning a risk factor of "high").

Conclusion

By separating both the malicious process and botnet host detection plugins, we hope to allow customers to more easily prioritize, and react, to events that require immediate action. You can now filter on plugins 58430 (Active Outbound Connection to Host Listed in Known Bot Database) and 59275 (Malicious Process Detection) and quickly review more critical security issues in your network.

Resources