Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Auditing Anti-virus Software without an Agent

Most enterprises are required  to run some sort of Anti-virus (AV) software on all or a portion of their desktops and servers and report on the status of the deployment. This blog entry discusses some of the limits of self-reporting within an anti-virus application and how Nessus can help you detect systems that are not AV compliant.

Self Reporting with Anti-Virus Software

Enterprise versions of most anti-virus software typically include a central management console that enables the organization  to track which systems have AV installed, the software version and the status of the AV signatures. What these products cannot do is tell administrators about the systems that it doesn't know about - those without AV installed at all.

From vendor to vendor, there is variation of the detection mechanism and how this information is reported. The central management console of each vendor may use different mechanisms to report if  the anti-virus agent software is installed, if it is running and when the last time it had a signature update. Not displaying all of this information can provide a false sense of security that a host is indeed protected by some form of AV. In addition, this type of technology only reports on AV agents from that specific vendor, ignoring mixed vendor environments.

Lastly, most anti-virus products can only report on systems they are installed on and not other nodes or systems in the network, which are not in the management system. Some agents do keep a list of Ethernet addresses that are unique, and then attempt to reconcile this list at the management console. This may help identify some nodes without anti-virus software, but it does not find all devices that have been filtered, are behind screening devices or that simply are not communicated with.

Performing an Audit with Nessus

Previous blog posts have discussed how a Nessus credentialed scan can be used to identify if common anti-virus software is installed, if it is running AND if their signatures are up to date. This blog was recently updated to reflect support for testing Sophos and Windows Live OneCare.

Clearly, there are several advantages to this approach.

  • No need for an agent - Many  organizations wish to avoid  deploying more agents to their desktops and servers. Agent based solutions that can be used to audit installed software increase the complexity and potential attack space of a network. It also requires that third party visitors to the organization install an agent to ensure AV compliance. A Nessus credentialed audit does not require an agent to be installed on the target.
  • Support for a heterogeneous environment Since Nessus is not dependent on a specific vendor's anti-virus technology, it can be used to identify deployed solutions in a multi-vendor environment, common to larger enterprises.
  • Verification of signature updates - Nessus independently reports any discrepancies in signature updates, or if the anti-virus solution is installed, but not running.
  • Validation of AV software - During the credentialed audit, Nessus will also test for the presence of anti-virus software that is vulnerable. There has been some discussion of this in recent blog postings about the increasing trend towards vulnerabilities contributed from anti-virus solutions. Nessus has checks for vulnerabilities in many host security agents including Symantec, Trend Micro, CA eTrust, Clam AV, NOD 32, Kaspersky, McAfee, F-PROT and Sophos.

Your organization is also likely deploying more than one technology (other than AV) to defeat the threat of virus outbreaks. Examples include system hardening, the use of desktop firewalls and having traffic flow through proxy servers. ProfessionalFeed users can make use of Nessus's ability to audit system configurations to ensure the following:

  • The corporate authorized web browser is enabled and configured correctly
  • Proxy settings are in effect to require web browsing to go through other forms of inspection
  • The system itself has been hardened to limit the impact of a successful virus compromise
  • The system is running the corporate standard(s) for Anti-virus software

For More Information

The following Tenable blog entries discuss virus discovery, anti-virus auditing and software discovery:

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.