Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Auditing Anti-Virus Configurations and Installations

Previous blogs have described how enterprise customers can use the Nessus Scanner with the Tenable ProfessionalFeed or Security Center to audit anti-virus software. Nessus has many different checks that audit systems to see if the anti-virus engine is installed, running and up to date. We’ve also described how this can be accomplished without adding an additional agent. Lastly, Nessus has many different checks that test for vulnerabilities in the actual anti-virus products themselves.

While this functionality addresses the needs of many of our customers, reporting requirements such as those in the PCI DSS have led to requests for more specific and “official” audits to simply detect if Symantec, McAfee or other common anti-virus software is present. Tenable has recently released several audit policies to look for the presence of common anti-virus products. This blog entry describes the use of these audit policies, how they can be analyzed and how these relate to a variety of compliance requirements.

Configuration Auditing Review

Tenable produces a wide variety of configuration auditing templates which can be uploaded to the Security Center or used with the NessusClient to perform analysis of Unix and Windows operating system settings. These files are called “audit” policies.

Many of Tenable’s audit policies are written with specific configuration requirements from compliance regulations and recommendations such as PCI, FDCC, NSA and CIS. Our CIS and FDCC technology has also been certified by the Center for Internet Security and a NIST certified vendor test lab. 

Below is a screen shot of the Tenable Support Portal, which offers various audit policies for download to Tenable customers:


You can see that the policies are organized with various certification and compliance bodies. For policies such as GLBA, SOX and HIPAA, there are currently no specific configuration guides but Tenable has helped many of our customers develop custom policies to use in their environments.

An entire section has been dedicated to auditing anti-virus products. Updates to the current available audit policies are announced through various RSS feeds which announce new product, log normalization, vulnerability, configuration, sensitive data and passive network monitoring rule updates.

Performing Anti-Virus Auditing

Several new audit policies are available to test for the presence of the following anti-virus technologies:

  • Bitdefender
  • ClamAV
  • Kaspersky
  • McAfee
  • Norton
  • Panda
  • Sophos
  • Symantec
  • Trend Micro

Each technology has different combinations of running processes, registry settings and installation files. Tenable’s Research group has identified a variety of methods to reliably detect these different types of software in an enterprise environment and has used this information to write Nessus audit files.

Please keep in mind that over the past few years Tenable has increased the type of analysis that can be performed on anti-virus software:

  • Nessus has always contained checks to look for vulnerable versions of anti-virus software.
  • For the past few years, Nessus will generate an alert if it found an anti-virus software that was not running, was out of date or otherwise misconfigured

However, with these new anti-virus audit policies, organizations can choose a policy that reflects their requirement to run a specific technology.

Below are screen shots that show how these audits are run with the NessusClient and Security Center on various systems with various types of installed anti-virus technology: 

Panda-runningSymantec-not-running Mcaffe-sc3-insta.
Panda AV
Symantec AV
Not Running
McAfee AV

To perform these checks you need to download the audit policy for your organization’s anti-virus technology and then configure your NessusClient or Security Center with a scan policy. Configure the scan policy to specify the particular anti-virus audit file and the credentials for the target systems. Keep in mind that multiple audit policies can be run within the same scan policy on both the NessusClient and the Security Center. This could allow you to customize a scan that not only performed a patch audit, but also checked configurations against Center for Internet Security settings as well as to look for your current anti-virus software all at the same time.

Compliance and Governance Reporting

There are many different regulations that require organizations to run anti-virus software. Large organizations may have different technologies deployed in different locations, business units or IT assets. In these cases, tools like the Security Center help to perform a consistent audit against different components of the enterprise. This also makes it easier to identify enterprise-wide issues with the overall anti-virus deployment.

The following compliance standards specifically require anti-virus deployment and directly state that organizations need to demonstrate compliance with these requirements:

  • PCI DSS is the most common commercial regulation that mandates anti-virus software on all systems that process cardholder data. Section 5.1 requires anti-virus to be deployed on all systems and section 5.2 requires that these systems be monitored to verify that they are running and generating logs. These new anti-virus audit policies make it very easy to demonstrate compliance with PCI DSS anti-virus reporting requirements. If the scans performing these audits are part of your daily or weekly operations, non-compliant systems can be detected very quickly.
  • GLBA specifically states that remote users who commute over a VPN must have anti-virus protection installed. If these computers are part of a domain, they can be regularly scanned with credentialed checks with Nessus, even over a VPN.
  • NIST special pub 800-53 (FISMA) section SI-3 specifically requires federal organizations to take measures to provide protection from malicious software. A comprehensive solution such as Tenable’s product suite can help demonstrate SI-3 compliance and also detect when zero-days and worms penetrate the anti-virus technology.
  • COBIT section DS5.9 calls out a similar need for protecting the network from malicious software.
  • NERC section R4 also calls for the use of anti-virus software on “critical cyber assets” used in the production of reliable electrical power.

Tenable offers the “Real-Time Compliance Monitoring” paper which provides much greater detail on how Tenable’s scanning, logging, configuration auditing and anomaly detection technologies map into the requirements of each of these regulations. We’ve also recently expanded and updated the coverage for PCI 1.2 in a separate “Real-Time PCI Compliance Monitoring” paper. Both of these can be requested from Tenable’s sales staff via email.

For More Information

Previous blogs on auditing anti-virus software with Nessus may be found at these links:

We have also talked about auditing the security of your anti-virus vendor, and how to analyze network traffic and logs to see if they have been targeted by botnets:

As always, if you want to learn more about Nessus and all of Tenable’s products and you don’t have a lot of time, we’ve prepared several informative product demonstration videos.

Related Posts

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets


Buy Now

Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.