Virus Auditing

Keeping Anti-Virus in Check

by Ron Gula on November 20, 2013

Nessus will generate a finding if the scan target has an Anti-Virus agent deployed with the virus detection rules out of date. We've often received feature requests asking us to allow customers to set a grace period (in days) to avoid generating this alert. Such a preference was added this week under the heading 'Antivirus Software Check':

Is the Passive Vulnerability Scanner an Intrusion Detection System?

by Ron Gula on April 29, 2013

When I was at RSA earlier this year, I gave a variety of media interviews and product demos about Tenable solutions. I demonstrated Nessus detecting malicious processes and the Passive Vulnerability Scanner (PVS) providing an audit trail of all network activity that led up to the infection. I also showed how the Log Correlation Engine (LCE) correlated PVS logged DNS queries to known botnets.

Searching for Custom Malicious File Hashes with Nessus

by Ron Gula on March 15, 2013

The Nessus malicious process detection plugins were recently enhanced to allow for searching with custom file hash lists. This allows organizations to add their own sources of malicious file hashes into Tenable's set of cloud-based hashes and botnet checks.

Active and Passive Mandiant APT1 Detection

by Ron Gula on February 20, 2013

The Mandiant APT1 report contains a tremendous amount of detail about attacker techniques, indicators of compromise, and possible adversaries. Most interesting was the large amount of technical detail provided about the indicators of compromise – domain names, SSL certificates, file hashes, and more. Tenable's research team leveraged this information into a wide variety of reporting and detection tools which are now available in Nessus and SecurityCenter.

Enhanced Botnet Detection with Nessus

by Ron Gula on March 22, 2012

Tenable’s Research team recently added the ability for Nessus to evaluate audited hosts to see if they are connected to or configured with a known botnet IP address. In this blog entry, we will review all of the features available within Nessus for botnet and malware detection, as well as the types of features that are available in other Tenable products.

Active and Passive Auditing of DNS Servers in Use – Finding DNSChanger Malware

by Ron Gula on March 5, 2012

Tenable’s Research team recently shipped a variety of Nessus plugins and Passive Vulnerability Scanner (PVS) PASL scripts that audit and detect the DNS servers in use on (and off) your network. These plugins and scripts are leveraged to find systems affected by DNSChanger malware, but they can also be used for a broader audit of DNS servers actively in use. This blog entry describes the new plugins and PASL scripts and how they can be used to audit active DNS servers in use.

Preventing & Detecting Malware: A Multifaceted Approach

by Paul Asadoorian on April 5, 2011

Successful Attacks from Automated Malware Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news: Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center. From LizaMoon SQL Injection Attack Hits Websites LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

Botnet Reputation and Content Scanning in Nessus

by Ron Gula on March 16, 2011

With today’s plugin updates, Nessus now has the capability to warn you of hosts that are being controlled by botnets or hosting links to known malware or phishing sites. Nessus uses a list of botnet infected hosts that is updated daily to search for your scan targets and report if the host is a known botnet zombie or is in command and control node. This is done regardless of the plugins or credentials specified and does not require sending any packets to the host to perform this check. Such hosts have been previously observed as sending malicious traffic to third-party systems across the...

Pages