Unsupported Windows Software Startup Detection

This template reports the use of unsupported versions of software running on Windows platforms. It combines unsupported version detection results provided by Nessus with Windows events collected in Tenable’s Log Correlation Engine, LCE.

• July 23rd 2012, version 1, SecurityCenter 4.4
• Required Tools: Nessus and LCE 4
• Download Example - Unsupported Windows Software Startup Detection
  
• Download Template - Unsupported Windows Software Startup Detection

A common reason given for not patching, upgrading or uninstalling vulnerable desktop software found on servers is that the software isn't being used. However, how certain can we be that the software hasn't been used with remote desktop access to quickly research something on the Internet like a server setting or to download and read configuration instructions? Sometimes security controls to restrict access to the Internet take into account an organization’s desktop platforms but miss server platforms because of their unique positioning within a network like those found in a DMZ. We could use Tenable's Passive Vulnerability Scanner, PVS, to look for vulnerable desktop software in use on servers. However, another approach involves leveraging Windows event logging which will report new processes created by starting applications.

This template uses some of the Nessus detection plugin results that flag Windows software as unsupported and reports evidence of its use by filtering tables and graph components, a.k.a elements, by the LCE normalized event “Windows-New_Process_Created” and using the appropriate text in the “Syslog Text” event filter:

The LCE rules responsible for creating the “Windows-New_Process_Created” normalized event use Windows events 592 (Windows 2003 & XP) and 4688 (Windows 2008, Vista & 7)

The template makes use of the iterator grouping element. This allows the display of LCE event information only for those hosts that have Nessus unsupported software detection results:

In the example above any reporting element that is placed within the iterator will have its report output pre-filtered on hosts that have results for Nessus plugin 40362, "Mozilla Foundation Unsupported Application Detection". Additionally, plugin 40362 results must report on unsupported versions of Firefox.

The iterator filters are the same as those for any other reporting element. The template could be changed to report on the use of vulnerable software falling with a certain CVSS range, flagged as having a known exploit, having a certain CVE reference and many other criteria.

Not all software executes in a way that will produce the Windows new process event records 592 or 4688. For example, the Adobe Flash Player ActiveX control for Internet Explorer. As mentioned at the beginning of the post, Tenable's Passive Vulnerability Scanner, PVS, can detect vulnerable software in use, including Adobe Flash Player. For example, plugin 5783, "The remote host contains an unsupported version of Flash Player".

The templates listed below include reporting on vulnerable desktop software using PVS:

Chrome, Firefox, Opera and Safari (PVS)
Apple Safari, QuickTime and iTunes (PVS)
Adobe AIR, Flash Player and Flash Media Server (PVS)
TeamViewer Detection