Nessus and the Fight against Viruses

We’ve blogged many times over the past few years about how Nessus can be used to scan systems for both the presence of some viruses as well as the presence of an effective antivirus solution. This blog provides an overview of all current Nessus virus and antivirus technologies available to HomeFeed, ProfessionalFeed and SecurityCenter users.

Scanning without Credentials for Virus and Backdoors

Nessus has a variety of checks that attempt to identify specific virus infections and backdoors through interaction with a network service. The best example of this is plugin #36217 that detects the Conficker P2P service. Other recent examples include un-credentialed checks to look for Arugizer, the Unreal IRC backdoor and Zotob worm. Nessus also looks at web servers to see if they are hosting JavaScript with known hostile links that can indicate you may have a compromised web server.

Nessus also has several other forms of generic virus “service” detection. The first is plugin #33950 that evaluates data transmitted from a service to see if it is a Microsoft executable. Botnets and viruses often download exploit code and the command and control network to deliver payload en masse. Some other examples of plugins that detect indication of a virus, infection or compromise:

• If plugin #33950 finds an executable being served on your network, you likely have some sort of compromise.
• Plugin #35322 checks for executables being served by web servers.
• Nessus plugin #33951 looks at the actual banners on the services being scanned and looks for indication that these banners are from known compromised daemons.

Perusing the Nessus “Backdoors” plugin family (some of which are credentialed checks) can provide a sense of the types of audits Nessus can perform. Everything discussed is available in both the HomeFeed and ProfessionalFeed of Nessus.

Scanning with Credentials for Viruses

Tenable’s Research team has also leveraged Nessus’s ability to inspect files and registry settings on Windows systems that are audited with credentials. This allows Nessus to search for files, processes and other indicators from a documented virus.Recent examples include detection of several Zeus and Zbot variants as well as the Energizer USB backdoor. 

A common technique for viruses and worms to follow is to alter a Windows system’s DNS records. Nessus plugin #23910 checks the HOSTS file to see if there are any entries for antivirus vendors. If such an entry has been found, it is likely that the system’s antivirus software has been subverted.

Everything discussed is available in both the HomeFeed and ProfessionalFeed of Nessus.

Using Nessus Configuration Audits to find Backdoors and Viruses

Tenable ProfessionalFeed and SecurityCenter users can take advantage of Nessus’s configuration auditing functions. These checks require credentials and can be performed during a patch audit.

If you know about a certain type of file, registry setting or process that indicates the presence of a virus, you can use a Nessus .audit policy to write a check for this. We’ve blogged in the past about how to create a .audit file that can test for known virus indicators.

If you are in a large enterprise and have credentials for the hosts you are monitoring, the ability to scan with Nessus or multiple Nessus scanners and SecurityCenter can help you quickly audit your network for indicators of a known infection.

Tenable’s Research team has also written .audit files for specific viruses. Example polices for Arugizer, Spyeye, Storm, TDSS/TLD3 and Warbot are all available for download from the Tenable Support Portal.

Nessus users who write their own polices are encouraged to share them on the Tenable Discussion Forum.

Scanning for Out of Date and Mis-configured Antivirus Agents

Nessus has several plugins that identify common antivirus solutions and checks to see if their signature database is out of date. The list of supported antivirus solutions includes:

• BitDefender
• ESET NOD32
• Kaspersky
• McAfee
• Panda
• Sophos
• Symantec
• Trend Micro
• Windows Live OneCare

Nessus plugin #45051 enumerates any antivirus software on a Windows host via WMI. Nessus also checks for many vulnerabilities in antivirus agents – don’t forget about fixing those! These checks are available to HomeFeed and ProfessionalFeed Nessus users.

In addition to these checks, Nessus .audit files are available for most major antivirus vendors to ensure the agents are installed correctly, set to execute during boot-up and are actually running. This type of audit is a common requirement for FISMA and PCI DSS reporting. It also ensures that your organization has a uniform antivirus strategy and common configuration. Audit polices for Nessus and SecurityCenter configuration audits are available from the Tenable Support Portal.

Unified Security Monitoring

Tenable’s Passive Vulnerability Scanner and Log Correlation Engine are very useful in the detection of viruses, as well as stealthier custom malware. When managed by SecurityCenter, data from vulnerabilities, configurations, logs and network traffic can be combined to audit:

• New processes running on servers that indicate abuse
• Changes to executables and configuration files
• New user and group modifications
• Spikes in intrusion detection events and network traffic
• Firewall “deny” events that indicate a compromised system
• Logging of all DNS and Web URIs for correlation and log search
• much more!

For More Information

Please feel free to discuss the process of finding infections with Nessus or auditing antivirus configurations on the Tenable Discussion Forum. Tenable offers several demonstration videos of Nessus on our Youtube channel and also several SecurityCenter demo videos are hosted on nessus.org.