Antivirus Software Check

by Dave Breslin
May 15, 2012

TrendGraph

This report template focuses on antivirus software that isn't up-to-date or isn't functioning properly. It relies on Nessus plugin 16193, Antivirus Software Check, and its many dependent antivirus detection plugins which are developed and maintained by the Tenable Research Team.  The trend graph above was cut from one of four chapters produced by the template and depicts an initial growing problem in enterprise deployed antivirus software followed by a partial reversal of the problem. Unfortunately a full reversal of the problem and a return to all antivirus software being healthy seems to have stalled or the latest Nessus credentialed scan has yet to be initiated. To see a full report use the appropriate download example link.

Plugin 16193, Antivirus Software Check, works with the following dependent plugins:

20284 Kaspersky Anti-Virus Detection
12107 McAfee Antivirus Detection
12106 Norton Antivirus Detection
20283 Panda Antivirus Detection
16192 Trend Micro Antivirus Detection
21725 Symantec Antivirus Detection (Corporate Edition)
24232 BitDefender Antivirus Detection
21608 ESET NOD32 Antivirus Detection
12215 Sophos Anti-Virus Detection
43164 Microsoft Forefront Client Security Detection
52544 Microsoft Forefront Endpoint Protection/Anti-malware Client Detection
52668 F-Secure Antivirus Detection   
54846 Sophos Anti-Virus Detection (Mac OS X)
56568 Mac OS X XProtect Installed

Plugin 16193, and its dependent plugins, currently operate on Windows and Mac OS X platforms. It is very important to understand that plugin 16193 only produces a result, plugin report, if the appropriate dependent plugin does not produce a plugin report. Plugin 16193 reports only on healthy installed antivirus software:

16193

The dependent plugins only report antivirus issues. If the plugin report above for 16193 had not been produced to indicate the F-Secure installed antivirus software was up-to-date and functioning then there would have been no plugin report for 16193 at all. And we would have expected to see a report like this from plugin 52668:

52668

 

In the trend graph presented at the beginning of this post the "Antivirus Check Pass" trend line is built by totaling the number of 16193 plugin results each day. And the "Antivirus Check Fail" trend line is built by totaling the number of plugin results for all the dependent antivirus detection plugins each day. The "Antivirus Installed" trend line uses plugin 45051, WMI Antivirus Enumeration Windows. This plugin is limited to the detection of antivirus software installed on Windows desktop operating systems such as XP, Vista and Windows 7. If we are also auditing Windows servers and Mac OS X platforms we would expect the "Antivirus Check Pass" trend line to exceed the level set by the "Antivirus Installed" trend line.

In the trend graph initially presented we would like demonstrate a full reversal of the antivirus problem:

TrendGraph2

 

A similar criss-cross pattern produced by the trend lines was observed at a Tenable Research Site where the server responsible for updating the organization's antivirus software across its enterprise wide Windows platforms started to experience performance issues and began failing to update its antivirus clients. The problem was noticed by a Tenable staff member using a similar trend graph in a SecurityCenter dashboard and reported to the organization's administrative staff who were able to fix the issue in a timely manner. After the server responsible for updating the antivirus clients was restored to full operation the criss-cross pattern emerged.

The report template consists of four chapters:

Toc

 

The trend graph can be found in the "7 Day Trend of Antivirus Check Results" chapter. It is very easy with the GUI driven report builder in SecurityCenter to modify the trend graph's timeframe:

Adjusttimeframe

 

The "Antivirus Check Results" chapter reports current result totals for plugin 16193 and the dependent antivirus detection plugins in two tables as well as a proportional representation of passes and fails using a pie chart:

PieChart

 

The "Antivirus Check Fails Grouped by Subnet and Location" chapter totals all the dependent antivirus detection plugin results and reports the totals across the entire scanned network space divided into /24 subnets and across asset lists. This is a good chapter for troubleshooting antivirus issues by narrowing down the problems to particular locations, especially in a very large organization leveraging many geographically distributed Nessus scanners. The division of the network into /24 subnets can be easily altered to /16 or /8 subnets or the table can be simply deleted if it is not required.

The final chapter, "Antivirus Check Fails Grouped by Host", provides the detail of why a Windows or Mac OS X host has failed an antivirus check:

Detail

 

The Nessus plugins used in SecurityCenter to produce the example report were not updated for a couple of weeks. This is not a good scanning strategy when using Nessus plugins that are checking time sensitive files and executables like antivirus engines and their virus signature databases. Do ensure when you perform this type of auditing that SecurityCenter is operating on a very recently updated plugin set:

Status

Antivirus issues can be a symptom of a malware infection. You may wish to also review the report template Nessus Enhanced Botnet Detection if you start encountering antivirus issues within your organization.