Malware Detection

by David Schwalenberg
January 22, 2014

This dashboard displays information that can be useful for detecting malware on the network. It makes use of vulnerability data from Nessus scans, PVS detections, and event data from the LCE.

For a related executive-level report, see Malware Indicators Report. For related CSV reports, see Malware Detection CSV Reports and More Malware Detection CSV Reports.

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets.

The dashboard requirements are:

  • SecurityCenter 4.7
  • Nessus 5.2.4
  • LCE 4.2.2
  • PVS 4.0.0

Listed below are the included components:

Malware Detection - Top IPs with Malware Vulnerabilities
This component displays a pie chart of the IP addresses with the most vulnerabilities detected in the last 7 days by the “Backdoors” family of plugins for both Nessus and PVS. These detections indicate hosts with known Trojans, backdoors, or other malware on them.

Malware Detection - Top IPs with Malware Events
This component displays a pie chart of the IP addresses with the most events of type “virus” that have occurred in the last 7 days. These events were reported by various applications and collected by the LCE. Note that the event counts may not be accurate in some cases because events with the same source and destination IP address will be counted twice for that IP address.

Malware Detection - Trend (Last 7 Days)
This component displays trends for various malware-related information over the last 7 days. Note that because the chart scales to accommodate the trend line with the greatest height, trend lines that are less high may be difficult to see.

Malware Detection - Malware Vulnerabilities (Last 7 Days)
This component displays a summary of vulnerabilities detected in the last 7 days by the “Backdoors” family of plugins for both Nessus and PVS. These detections indicate hosts with known Trojans, backdoors, or other malware on them. For each vulnerability, the severity and total number of detections are shown.

Malware Detection - Malware Events (Last 7 Days)
This component displays a summary of events of type “virus” that have occurred in the last 7 days. These events were reported by various applications and collected by the LCE. For each event, the count of occurrences is shown.

Malware Detection - Known Botnet Interaction (Last 7 Days)
This component displays a summary of vulnerabilities detected in the last 7 days by Nessus plugins 52699 (Host Listed in Known Bot Database), 58429 (DNS Server Listed in Known Bot Database), and 58430 (Active Outbound Connection to Host Listed in Known Bot Database). These detections indicate internal hosts interacting with known botnets, which might indicate that the hosts are infected with malware. For each vulnerability, the severity and total number of detections are shown.

Malware Detection - Threatlist Interaction (Last 7 Days)
This component displays a summary of outbound events of type “threatlist” that have occurred in the last 7 days. These events indicate internal hosts connecting to threatlisted IP addresses or domains, which might indicate that the hosts are infected with malware. For each event, the count of occurrences is shown.

Malware Detection - Windows Malicious Processes (Last 7 Days)
This component displays a summary of vulnerabilities detected in the last 7 days by Nessus plugin 59275 (Malicious Process Detection). These detections indicate Windows hosts running known malicious processes. For each vulnerability, the severity and total number of detections are shown.

Malware Detection - Windows Suspicious Processes (Last 7 Days)
This component displays a summary of vulnerabilities detected in the last 7 days by the Nessus “Malicious Process Detection” plugins (not including plugin 65548, User-Defined Malware Running). These detections indicate Windows hosts running potentially unwanted processes and other possibly malicious processes. For each vulnerability, the severity and total number of detections are shown.

Malware Detection - Windows Unknown Processes (Last 7 Days)
This component displays a summary of vulnerabilities detected in the last 7 days by Nessus plugin 70768 (Unknown Processes). These detections indicate Windows hosts running unknown processes. Note that an unknown process is not necessarily a problem, but the process should be verified to be legitimate and authorized. For each vulnerability, the severity and total number of detections are shown.

Malware Detection - Malicious Content Hosted (Last 7 Days)
This component displays a summary of vulnerabilities detected in the last 7 days by Nessus plugins 71024 (Web Site Hosting Malicious Binaries), 52670 (Web Site Links to Malicious Content), and 29871 (Web Server Malicious Javascript Link Detection). These detections indicate web servers hosting sites with malicious content, which might indicate that the servers have been compromised. Note that some of these web-servers may be third-party. For each vulnerability, the severity and total number of detections are shown.

Malware Detection - Outbound External Connections (Last 7 Days)
This component displays a summary of vulnerabilities detected in the last 7 days by PVS plugin 16 (Outbound External Connections). These detections indicate internal hosts (hosts in the “include-network” range) making TCP connections to external IP addresses, which may indicate misconfiguration, misuse, or malware. For each vulnerability, the severity and total number of detections are shown.