Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Plugin Updates: Malicious Process & Botnet Detection

Malicious Process Detection Updates

A short time ago, Tenable released a new plugin to perform Malicious Process Detection (plugin ID 59275). Originally, it identified all possible malicious processes and reported the risk level as "High." This has now been split into two plugins; the original plugin that detects processes as malware which now uses the risk level of "critical," and a new plugin titled Malicious Process Detection: Potentially Unwanted Software (plugin ID 59641):

Maliciousprocess new sm
Click for larger image

The difference between the two plugins is the intent of the malicious software. For example, "Netcat" is a popular tool that can be used for network troubleshooting or by attackers for "evil" purposes such as backdoors. These two separate malware plugins will allow customers to more easily differentiate between policy violations and systems that are infected with malware unmistakable for any legitimate program.

Inbound & Outbound Botnet Detection

The botnet database-checking plugin now differentiates between outbound and inbound connections associated with botnet activity:

Often times, a busy email server or Skype user will trigger plugin 59713, meaning a host participating in a botnet is connecting to one of your systems. While this behavior may be suspicious, it is not a definitive indication that your system is compromised. For this reason, plugin 59713 is classified as risk factor of "none." However, if a system in your environment has an outbound connection to a host known to be participating in a botnet, this can be a strong indication of being compromised (therefore earning a risk factor of "high").

Conclusion

By separating both the malicious process and botnet host detection plugins, we hope to allow customers to more easily prioritize, and react, to events that require immediate action. You can now filter on plugins 58430 (Active Outbound Connection to Host Listed in Known Bot Database) and 59275 (Malicious Process Detection) and quickly review more critical security issues in your network.

Resources

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.