Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Auditing Anti-Virus Products with Nessus

For credentialed scans of Windows systems, Nessus can detect the presence of many leading anti-virus solutions. This blog entry will discuss what sort of information can be reported, how this is relevant for compliance and vulnerability audits and the specific anti-virus solutions supported.

Auditing Anti-Virus Deployments

Nessus uses credentialed scans of Windows systems to audit the local files and registry settings to determine both the presence of an anti-virus solution, if it is indeed running and if it is up to date.

For supported anti-virus solutions, a separate Nessus plugin is used to specifically identify that software and determine if the signatures are up to date. At Tenable, our research group monitors vendor signature updates for each solution and then updates the corresponding Nessus plugin. To take advantage of this sort of auditing, your Nessus scanners should be subscribed for either the Registered Feed or the Direct Feed.

There are many reasons why an anti-virus solution can't receive an updated list of new signatures. Some of these could be due to licensing issues, expiring demos or even network connectivity issues such as DNS or firewall changes. In some cases, mal-ware or a new virus may have gotten into a system and explicitly attacked the existing anti-virus solution.

For IT organizations that wish to minimize complexity, detecting unauthorized anti-virus solutions present on the corporate network is very useful. Having multiple anti-virus solutions on one system can lead to performance, compatibility and stability issues.

Compliance and Vulnerability Auditing

For compliance, if an organization has selected one or more anti-virus solutions, being able to audit this with Nessus can prove to an auditor that a solution is indeed installed, in use and up to date. Residing solely on software enumeration won't let you know if an anti-virus has been installed, but has been disabled. It also won't let you know if the license or network connectivity is up to date.

Depending on the function of a system that is being scanned by Nessus, not having an anti-virus solution may be considered a vulnerability. Also, if it is assumed that a system is protected by an anti-virus solution, but in fact the solution isn't running, or does not have the latest signatures then it isn't really protected.

Detected Anti-Virus Applications

At the time of this writing, the following anti-virus solutions are detected as installed, running and up-to-date by Nessus:

  • #24232 BitDefender Check
  • #20284 Kaspersky Anti-Virus Check
  • #12107 McAfee Anti Virus Check
  • #21608 NOD32 Antivirus System Check
  • #12106 Norton Anti Virus Check
  • #12215 Sophos Anti Virus Check
  • #20283 Panda Antivirus Check
  • #21725 Symantec Anti Virus Corporate Edition Check
  • #16192 Trend Micro Anti Virus Check
  • #24344 Windows Live OneCare AntiVirus Check

Nessus also has plugin #16193 which aggregates the results from these other plugins. It is useful if you are in a multiple anti-virus solution environment and just want to find hosts that have a solution installed and operational.

The above plugins only report an issue if a problem is found with the detected anti-virus solution. Plugin #16193 reports if a system does have a known working anti-virus solution.

Additional Tenable Solutions

The Security Center can be used to aggregate scan results and place systems without anti-virus, or non-operating anti-virus solutions into a unique asset list. These lists can then be used for reporting, scanning, IDS event monitoring and anomaly detection with the understanding that systems without AV are more likely to become infected.

If the Passive Vulnerability Scanner is also in use, then the asset lists could be further qualified to only discover systems without anti-virus solutions that are browsing on the Internet. Windows systems that browse the Internet without some sort of anti-virus solution are may be more likely to become infected. The Passive Vulnerability Scanner also has the ability to monitor the update process for several different anti-virus solutions and identify them without the need for scanning.

For Additional Information

The following is a list of various white papers, Tenable blog posts and Nessus checks that relate to detecting both anti-virus solutions as well as virus infections: 

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.