Auditing Anti-Virus Products with Nessus
For credentialed scans of Windows systems, Nessus can detect the presence of many leading anti-virus solutions. This blog entry will discuss what sort of information can be reported, how this is relevant for compliance and vulnerability audits and the specific anti-virus solutions supported.
Auditing Anti-Virus Deployments
Nessus uses credentialed scans of Windows systems to audit the local files and registry settings to determine both the presence of an anti-virus solution, if it is indeed running and if it is up to date.
For supported anti-virus solutions, a separate Nessus plugin is used to specifically identify that software and determine if the signatures are up to date. At Tenable, our research group monitors vendor signature updates for each solution and then updates the corresponding Nessus plugin. To take advantage of this sort of auditing, your Nessus scanners should be subscribed for either the Registered Feed or the Direct Feed.
There are many reasons why an anti-virus solution can't receive an updated list of new signatures. Some of these could be due to licensing issues, expiring demos or even network connectivity issues such as DNS or firewall changes. In some cases, mal-ware or a new virus may have gotten into a system and explicitly attacked the existing anti-virus solution.
For IT organizations that wish to minimize complexity, detecting unauthorized anti-virus solutions present on the corporate network is very useful. Having multiple anti-virus solutions on one system can lead to performance, compatibility and stability issues.
Compliance and Vulnerability Auditing
For compliance, if an organization has selected one or more anti-virus solutions, being able to audit this with Nessus can prove to an auditor that a solution is indeed installed, in use and up to date. Residing solely on software enumeration won't let you know if an anti-virus has been installed, but has been disabled. It also won't let you know if the license or network connectivity is up to date.
Depending on the function of a system that is being scanned by Nessus, not having an anti-virus solution may be considered a vulnerability. Also, if it is assumed that a system is protected by an anti-virus solution, but in fact the solution isn't running, or does not have the latest signatures then it isn't really protected.
Detected Anti-Virus Applications
At the time of this writing, the following anti-virus solutions are detected as installed, running and up-to-date by Nessus:
- #24232 BitDefender Check
- #20284 Kaspersky Anti-Virus Check
- #12107 McAfee Anti Virus Check
- #21608 NOD32 Antivirus System Check
- #12106 Norton Anti Virus Check
- #12215 Sophos Anti Virus Check
- #20283 Panda Antivirus Check
- #21725 Symantec Anti Virus Corporate Edition Check
- #16192 Trend Micro Anti Virus Check
- #24344 Windows Live OneCare AntiVirus Check
Nessus also has plugin #16193 which aggregates the results from these other plugins. It is useful if you are in a multiple anti-virus solution environment and just want to find hosts that have a solution installed and operational.
The above plugins only report an issue if a problem is found with the detected anti-virus solution. Plugin #16193 reports if a system does have a known working anti-virus solution.
Additional Tenable Solutions
The Security Center can be used to aggregate scan results and place systems without anti-virus, or non-operating anti-virus solutions into a unique asset list. These lists can then be used for reporting, scanning, IDS event monitoring and anomaly detection with the understanding that systems without AV are more likely to become infected.
If the Passive Vulnerability Scanner is also in use, then the asset lists could be further qualified to only discover systems without anti-virus solutions that are browsing on the Internet. Windows systems that browse the Internet without some sort of anti-virus solution are may be more likely to become infected. The Passive Vulnerability Scanner also has the ability to monitor the update process for several different anti-virus solutions and identify them without the need for scanning.
For Additional Information
The following is a list of various white papers, Tenable blog posts and Nessus checks that relate to detecting both anti-virus solutions as well as virus infections:
- The Antivirus Challenge (PDF)
- Hunting Symantec Worms (Blog Post)
- Detecting Compromised Windows Hosts Infected (Blog Post)
- #11329 The remote host is infected by a virus (Nessus Check)