Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Plugin Updates: Malicious Process & Botnet Detection

Malicious Process Detection Updates

A short time ago, Tenable released a new plugin to perform Malicious Process Detection (plugin ID 59275). Originally, it identified all possible malicious processes and reported the risk level as "High." This has now been split into two plugins; the original plugin that detects processes as malware which now uses the risk level of "critical," and a new plugin titled Malicious Process Detection: Potentially Unwanted Software (plugin ID 59641):

Maliciousprocess new sm
Click for larger image

The difference between the two plugins is the intent of the malicious software. For example, "Netcat" is a popular tool that can be used for network troubleshooting or by attackers for "evil" purposes such as backdoors. These two separate malware plugins will allow customers to more easily differentiate between policy violations and systems that are infected with malware unmistakable for any legitimate program.

Inbound & Outbound Botnet Detection

The botnet database-checking plugin now differentiates between outbound and inbound connections associated with botnet activity:

Often times, a busy email server or Skype user will trigger plugin 59713, meaning a host participating in a botnet is connecting to one of your systems. While this behavior may be suspicious, it is not a definitive indication that your system is compromised. For this reason, plugin 59713 is classified as risk factor of "none." However, if a system in your environment has an outbound connection to a host known to be participating in a botnet, this can be a strong indication of being compromised (therefore earning a risk factor of "high").

Conclusion

By separating both the malicious process and botnet host detection plugins, we hope to allow customers to more easily prioritize, and react, to events that require immediate action. You can now filter on plugins 58430 (Active Outbound Connection to Host Listed in Known Bot Database) and 59275 (Malicious Process Detection) and quickly review more critical security issues in your network.

Resources

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.