Virus Detection Audit Policies

Audit policies that Tenable's Research group has produced that scan for known trojans and rootkits.

Virus Detection Policies

File Description
tdss.audit Detects the presence of the TDSS/TLD3 rootkit on the system, which may indicate that this and other malware is installed. This audit checks for common registry keys associated with this rootkit. (Last updated February 25, 2010.)
jkddos.audit This audit looks for signs of infection by the JKDDOS malware. JKDDOS is a distributed denial of service program that allows affected systems to participate in DoS attacks against the host of the hacker's choosing. (Last updated March 14, 2011.)
storm.audit This audit file detects infections of the W32/Pecoan.AG worm, which is also being called Storm Worm 2.0. This audit file looks for both the Command and Control malware, as well as the spam email malware that has been associated with it. (Last updated July 12, 2010.)
Warbot.audit Warbot is a trojan that allows for the execution of arbitrary files on an infected system, as well as enables it to be used in DDoS attacks. This audit looks for signs of infection on a system. (Last updated May 24, 2010.)
viral_file.audit This audit is used to determine if a specific virus is infecting hosts. An example is given representing a virus which drops two statically named files in a known path. (Last updated January 14, 2009.)
APT1.audit This audit file determines possible infections by several of the malware items identified in the Mandiant Intelligence Center Report - APT1: Exposing One of China's Cyber Espionage Units and the Symantec Security Response Whitepaper - Comment Crew: Indicators of Compromise. (Last updated February 25, 2013.)
spyeye.audit This audit looks for files present on the system that indicate an infection by the SpyEye trojan. The files are hidden by a rootkit, and not visible to an end-user. (Last updated April 9, 2010.)
viral_process.audit This audit is used to determine if a binaries commonly executed by viruses are presently running. Examples are given representing a virus which launches two specific files. (Last updated January 21, 2009.)
BACKDOOR-arugizer.audit This audit is used to determine if the Arugizer backdoor is infecting hosts. A specific registry key is searched for that indicates that the backdoor is installed and being run automatically. (Last updated March 9, 2010.)
viral_registry.audit This audit is used to determine if a specific virus is infecting hosts. Two different types of examples are used; one which examines the registry for a basic key in a known location, and a second which examines the registry for a key with an unknown SID under HKEY_USERS. (Last updated July 6, 2010.)
duqu.audit This audit file detects signs of infection related to the Duqu virus. Duqu is an advanced threat that focuses on collecting information from infected systems and reporting data back to command and control servers. (Last updated October 27, 2011.)