Auditing Anti-virus Software without an Agent
Most enterprises are required to run some sort of Anti-virus (AV) software on all or a portion of their desktops and servers and report on the status of the deployment. This blog entry discusses some of the limits of self-reporting within an anti-virus application and how Nessus can help you detect systems that are not AV compliant.
Self Reporting with Anti-Virus Software
Enterprise versions of most anti-virus software typically include a central management console that enables the organization to track which systems have AV installed, the software version and the status of the AV signatures. What these products cannot do is tell administrators about the systems that it doesn't know about - those without AV installed at all.
From vendor to vendor, there is variation of the detection mechanism and how this information is reported. The central management console of each vendor may use different mechanisms to report if the anti-virus agent software is installed, if it is running and when the last time it had a signature update. Not displaying all of this information can provide a false sense of security that a host is indeed protected by some form of AV. In addition, this type of technology only reports on AV agents from that specific vendor, ignoring mixed vendor environments.
Lastly, most anti-virus products can only report on systems they are installed on and not other nodes or systems in the network, which are not in the management system. Some agents do keep a list of Ethernet addresses that are unique, and then attempt to reconcile this list at the management console. This may help identify some nodes without anti-virus software, but it does not find all devices that have been filtered, are behind screening devices or that simply are not communicated with.
Performing an Audit with Nessus
Previous blog posts have discussed how a Nessus credentialed scan can be used to identify if common anti-virus software is installed, if it is running AND if their signatures are up to date. This blog was recently updated to reflect support for testing Sophos and Windows Live OneCare.
Clearly, there are several advantages to this approach.
- No need for an agent - Many organizations wish to avoid deploying more agents to their desktops and servers. Agent based solutions that can be used to audit installed software increase the complexity and potential attack space of a network. It also requires that third party visitors to the organization install an agent to ensure AV compliance. A Nessus credentialed audit does not require an agent to be installed on the target.
- Support for a heterogeneous environment Since Nessus is not dependent on a specific vendor's anti-virus technology, it can be used to identify deployed solutions in a multi-vendor environment, common to larger enterprises.
- Verification of signature updates - Nessus independently reports any discrepancies in signature updates, or if the anti-virus solution is installed, but not running.
- Validation of AV software - During the credentialed audit, Nessus will also test for the presence of anti-virus software that is vulnerable. There has been some discussion of this in recent blog postings about the increasing trend towards vulnerabilities contributed from anti-virus solutions. Nessus has checks for vulnerabilities in many host security agents including Symantec, Trend Micro, CA eTrust, Clam AV, NOD 32, Kaspersky, McAfee, F-PROT and Sophos.
Your organization is also likely deploying more than one technology (other than AV) to defeat the threat of virus outbreaks. Examples include system hardening, the use of desktop firewalls and having traffic flow through proxy servers. ProfessionalFeed users can make use of Nessus's ability to audit system configurations to ensure the following:
- The corporate authorized web browser is enabled and configured correctly
- Proxy settings are in effect to require web browsing to go through other forms of inspection
- The system itself has been hardened to limit the impact of a successful virus compromise
- The system is running the corporate standard(s) for Anti-virus software
For More Information
The following Tenable blog entries discuss virus discovery, anti-virus auditing and software discovery:
Related Articles
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.