Next up on our Nessus top ten list is #9, which covers how to use Nessus configuration auditing to discover information about your system configurations. The following video presents use cases and examples, from PCI compliance to detecting viruses:

Please visit Tenable's YouTube channel for more Nessus and SecurityCenter videos!

Nessus plugin 29871 has been updated to look for the presence of malicious JavaScript on a remote web site.

(See Attack on ASP site that uses a SQL server database)

Below is an example of the plugin report:

Click for larger image

Successful Attacks from Automated Malware

Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news:

Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center.

From LizaMoon SQL Injection Attack Hits Websites

LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

With today’s plugin updates, Nessus now has the capability to warn you of hosts that are being controlled by botnets or hosting links to known malware or phishing sites.

Nessus uses a list of botnet infected hosts that is updated daily to search for your scan targets and report if the host is a known botnet zombie or is in command and control node. This is done regardless of the plugins or credentials specified and does not require sending any packets to the host to perform this check. Such hosts have been previously observed as sending malicious traffic to third-party systems across the Internet or taking an active role in attempting to control or compromise hosts for the botnet.

In addition to checking for inclusion in a botnet, Nessus will also report if a scan target is hosting links to web site addresses and specific URLs that are used by known botnets to propagate or re-directing to sites hosting phishing content. During the testing of CGI scripts, Nessus will scan the content of web pages looking for references to this type of malicious content. The ability to discover if an asset hosts botnet related malware or pages designed to steal credentials from unsuspecting users (e.g., fake eBay or banking login pages) is an incredible way to augment vulnerability scans.

To leverage this feature, make sure that your Nessus scans are looking at web site content. To enable this feature, set the Preferences -> Global Settings -> Enable CGI Tests setting to “enabled”. 

The following Nessus plugins perform the botnet and malicious website content analysis:

• 52670 – Web Site Links to malicious Content
• 52669 – Host is listed in Known Bot Database

This update is available to all Nessus users including the Nessus ProfessionalFeed and HomeFeed subscriptions, the Nessus PerimeterService and SecurityCenter customers. Tenable also offers a variety of log analysis, NetFlow analysis and passive network traffic analysis solutions which can help identify system events, user behavior and network traffic that is indicative of a botnet. To learn more about these solutions, please visit our web site or watch any of the following on-demand webinars: 

• Putting a Virus under the SIEM Microscope
• Monitoring Users and Botnets with DNS
• Tracking Application Execution for Compliance and Security
• Finding and Stopping APT

We’ve blogged many times over the past few years about how Nessus can be used to scan systems for both the presence of some viruses as well as the presence of an effective antivirus solution. This blog provides an overview of all current Nessus virus and antivirus technologies available to HomeFeed, ProfessionalFeed and SecurityCenter users.

It’s All About the Information

"There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!"

The last part of the quote above always seems to play in my head during the course of an average day in information security. It really is all about information in many different aspects. One aspect I would like to highlight is collecting information about those who are attacking you. Specific information potentially useful to those defending networks and systems could be:

• The Software Itself - Perhaps the most useful information you can have, understanding what the malicious software (a.k.a. "malware") does is critical in being able to detect, prevent and remove it from your systems.
• The Users - Understanding how and why the end-user is using the software can provide some useful information (admittedly not as useful as analyzing the software itself). Malware can give an attacker a host of features. Knowing which ones are using it for denial of service attacks, and which groups are stealing bank data can help aid detection and forensics analysis (on both the system and the network).
• The Programmer - Probably the least useful to those defending networks on an everyday basis. Most authors of malware are most-likely motivated by profit, and create software to sell on the black market. Sometimes interesting things can be found in the software itself, indicating potentially where the software was created and providing hints as to the author's skill level.

I'd like to highlight some of the above information in this article (and an upcoming podcast) as it relates to botnets and malware. There is an endless supply of malware designed to perform a wide-array of "evil biddings". There is an entire economy behind botnets, including outsourcing, marketing and shady business schemes. All of this activity is happening on our networks today, leading to service disruptions from distributed denial of service (DDoS) attacks to theft of banking information.

Tenable has produced several configuration audits and updates to enterprise products, such as the Log Correlation Engine (LCE) and Passive Vulnerability Scanner (PVS), to help detect this activity in your environment. Nessus ProfessionalFeed customers can download the configuration auditing files that detect malware from the Tenable Support Portal Virus Detection Policies page (requires a Tenable Support Portal Login). For more detailed information on how Nessus is able to detect viruses, refer to the article Auditing Infected Systems for Viruses and Trojans with Nessus.

Recent investigations into the Google "Aurora" incident uncovered evidence that Chinese attackers used a 0-day exploit for Internet Explorer to gain access to Google employees’ computer systems. This event has sparked the release of Microsoft Security Bulletin MS10-002 - Critical , and a public exploit for the vulnerability. To mitigate this vulnerability, Microsoft originally recommended that customers upgrade to Internet Explorer 8, and enable DEP (Data Execution Prevention). On January 21, 2010 Microsoft released an "out-of-band" patch for the vulnerability, which fixes the problem on Internet Explorer version 6, 7 and 8. Methods exist to reliably exploit Internet Explorer versions 6 & 7, and there are several people who have working exploits for IE version 8, including Dino Dai Zovi, a well-respected vulnerability researcher. (A concise list of the details surrounding this issue can be found in this article).

Being Proactive

Many organizations are likely to implement the patch released by Microsoft since the issue has been receiving a lot of media attention. Patching because of a media event is an all-too-common mistake made by many organizations that cannot be convinced to implement new security measures until exploits make the news. Patching systems needs to be part of an organization’s overall strategy – not just a reaction to a media event. When new technologies become available as upgrades to your existing systems, put a plan in place to test and migrate to them, especially if they offer increased security. The organizations doing this today are looking at the latest exploit and implementing their patch strategy as part of the standard operating procedure.

Many of today's latest worms and viruses are using interesting methods to propagate across the network. For example, the Conficker.A / Downadup worm sets up a web server for victims to connect to and download a copy of the malware. What I find interesting about this method is that no matter what request is made to the HTTP server, it responds with a Microsoft executable file. Nessus detects such an HTTP server with plugin id 35322 "HTTP Backdoor Detection":

Have you ever been in the situation where you have found a server or desktop Windows system that was infected with a virus, Trojan, rootkit or malware and you wanted to scan your network to see if other systems had similar issues?  Nessus ProfessionalFeed and Security Center users can leverage the compliance auditing features of Nessus to look for evidence of hostile software on their network.

Background

Even though anti-virus technology is available, many organizations routinely deal with daily infections. In some organizations, anti-virus agents are prevalent due to the plethora of mutations in the threat as new types of hostile code can make its way into your network. Even more worrisome is the fact that many organizations with large networks have made the decision to not use any anti-virus solution and instead, rely only on network security and system hardening. Gone are the days when Internet-wide worms made front page news. Instead, IT security organizations wage daily battles to keep their network clean.

Existing Anti-Virus Audit and Hostile Code Discovery Capabilities

Before we talk about some new strategies for discovering viruses with Nessus, we should review the existing methods to audit systems for potential viruses and to make sure they are running a correctly configured anti-virus solution.

Previous blog entries have described how Nessus and the Security Center can be used to audit small and large enterprise networks to make sure there is adequate anti-virus capabilities.

• If Nessus finds one of many commonly running commercial anti-virus solutions, it checks to make sure its virus signatures are up to date. If not, it lists this as an important vulnerability. (Read more)
• As part of your corporate configuration audit policy, you can also use Nessus audit policies to ensure that each system is running the correct and official anti-virus solution and verify that it is set to run, to auto-start, to auto-update and so on. (Read more)

Nessus also has the ability to find suspicious system services and issues that may indicate the presence of malware:

• If a worm or Trojan adds a daemon to a compromised host that serves executables, Nessus will recognize this and generate an alert accordingly.
• If your Windows HOSTS file has been modified by a virus, Nessus check 23910 will likely detect it.
• If you have a Trojan or worm that has added a service in general, Nessus can audit all system processes which have an open network socket.
• Nessus checks for several dozen popular virus daemons and infected files. If you visit Tenable’s plugin search page and enter in terms such as “worm”, “virus” or “Trojan”, you can get an idea for the types of hostile code Nessus can search for.

Finding Systems Compromised with Hostile Code

Now that we’ve reviewed how Nessus can monitor your anti-virus solutions and potentially identify broad types of virus infections, how can it help when you know exactly what type of hostile code you are dealing with?

The basic idea is to use Nessus’ ability to audit registry settings or file content to look for viruses. As part of your analysis of any system infected with hostile code, there is very good chance that the virus has some sort of fingerprint that aids in detection. Some of the most common fingerprints to look for are specific registry entries or files that have been created or modified by the virus.

For example, F-Secure has written an analysis about the Banbra.RM virus, which provides a list of files, processes, network connections and registry entries the virus attempts to make or create. In particular, it sets the value “C:\WINDOWS\msnmsgsr.exe” into the following registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\msn

The following audit policy could be used by Nessus or the Security Center to audit your network for this virus:

<if>
 <condition type: "and">
  <custom_item>
   type        : REGISTRY_SETTING
   description    : "Banbra.RM trojan check"
   value_type    : POLICY_TEXT
   reg_key    : "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run"
   reg_item    : "msn"
   value_data    : "C:\WINDOWS\msnmsgsr.exe"
   reg_option    : CAN_BE_NULL
  </custom_item>
 </condition>

 <then>
  <report type: "FAILED">
   description    : "Banbra.RM trojan check."
   info        : "A key found in the registry indicates the Banbra.RM trojan is infecting the host."
   info        : "Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run , msn, C:\WINDOWS\msnmsgsr.exe"
   info        : "(This audit tests for the Banbra.RM trojan, as defined at:"
   info        : "http://www.f-secure.com/v-descs/trojan-spy_w32_banbra_rm.shtml"
   info        : "The contents of this audit should be edited to reflect any other desired target.)"
  </report>
 </then>
 <else>
  <report type : "PASSED">
   description : "Banbra.RM trojan check."
   info        : "The absence of a known key in the registry indicates the Banbra.RM trojan is likely not infecting this machine."
   info        : "(This audit tests for the Banbra.RM trojan, as defined at:"
   info        : "http://www.f-secure.com/v-descs/trojan-spy_w32_banbra_rm.shtml"
   info        : "The contents of this audit should be edited to reflect any other desired target.)"
  </report>
 </else>
</if>

This is not to suggest that you should load up all of your favorite virus rules and use this technique proactively. The idea is that when you discover some sort of infection, you can quickly audit your Windows computers to see if they contain evidence of a compromise.

Types of Technical Audits

If you have discovered a virus infection or some other type of hostile code and want to audit your systems to see if others have been infected, Tenable recommends that you consider the following types of audits.

• Static registry key, item and value
• A user registry key, item and value
• A static file
• A specific process name

If you are familiar with user registry settings, you will know that different Windows system users can have different registry settings. These settings are located under the “HKU” if you are browsing a system registry. The Nessus configuration auditing checks will automatically test any HKU registry key across all users.

Below are two screen shots of auditing live systems for the presence of a specific virus.

The is an audit for the Banbra virus.The audit is looking for specific registry data which indicates a system has likely been infected by the Banbra virus.

In this screen shot, we've audited a system's list of processes to look for a file named "sodata.exe" and have not found it. This process is associated with the W32/Hupigon.OGA backdoor.

A Word to the Wise

Many viruses will invoke cmd.exe to run a variety of programs. You may be tempted to search all of your Windows computers to see if any have cmd.exe processes running. many legitimate applications will also run cmd.exe and leave those processes running. Finding a cmd.exe process does not directly correlate with a virus infection, but it could be a valid audit for your organization.

Please keep in mind that if you are working with live viruses, they may interact with your testing and auditing. If a virus has countermeasures, it may attempt to resist being removed and could re-create itself from copies running in memory. If a virus has a rootkit component, it may also have the ability to hide various registry settings, processes and files from your audits. This could give you a false sense of security. In a crisis though, being able to rapidly audit many different systems could yield very interesting and useful results.

For More Information

Tenable’s Customer Support Portal includes example audit policies for Nessus and Security Center users that can be modified to find evidence of local systems that have evidence of virus infections. Users who wish to share their audit policies for specific variants of Trojans and viruses may wish to post them to the Discussions Forum so that other Nessus users can benefit.

Previous blogs have described how enterprise customers can use the Nessus Scanner with the Tenable ProfessionalFeed or Security Center to audit anti-virus software. Nessus has many different checks that audit systems to see if the anti-virus engine is installed, running and up to date. We’ve also described how this can be accomplished without adding an additional agent. Lastly, Nessus has many different checks that test for vulnerabilities in the actual anti-virus products themselves.

While this functionality addresses the needs of many of our customers, reporting requirements such as those in the PCI DSS have led to requests for more specific and “official” audits to simply detect if Symantec, McAfee or other common anti-virus software is present. Tenable has recently released several audit policies to look for the presence of common anti-virus products. This blog entry describes the use of these audit policies, how they can be analyzed and how these relate to a variety of compliance requirements.

Configuration Auditing Review

Tenable produces a wide variety of configuration auditing templates which can be uploaded to the Security Center or used with the NessusClient to perform analysis of Unix and Windows operating system settings. These files are called “audit” policies.

Many of Tenable’s audit policies are written with specific configuration requirements from compliance regulations and recommendations such as PCI, FDCC, NSA and CIS. Our CIS and FDCC technology has also been certified by the Center for Internet Security and a NIST certified vendor test lab. 

Below is a screen shot of the Tenable Support Portal, which offers various audit policies for download to Tenable customers:

You can see that the policies are organized with various certification and compliance bodies. For policies such as GLBA, SOX and HIPAA, there are currently no specific configuration guides but Tenable has helped many of our customers develop custom policies to use in their environments.

An entire section has been dedicated to auditing anti-virus products. Updates to the current available audit policies are announced through various RSS feeds which announce new product, log normalization, vulnerability, configuration, sensitive data and passive network monitoring rule updates.

Performing Anti-Virus Auditing

Several new audit policies are available to test for the presence of the following anti-virus technologies:

• Bitdefender
• ClamAV
• Kaspersky
• McAfee
• Norton
• Panda
• Sophos
• Symantec
• Trend Micro

Each technology has different combinations of running processes, registry settings and installation files. Tenable’s Research group has identified a variety of methods to reliably detect these different types of software in an enterprise environment and has used this information to write Nessus audit files.

Please keep in mind that over the past few years Tenable has increased the type of analysis that can be performed on anti-virus software:

• Nessus has always contained checks to look for vulnerable versions of anti-virus software.
• For the past few years, Nessus will generate an alert if it found an anti-virus software that was not running, was out of date or otherwise misconfigured

However, with these new anti-virus audit policies, organizations can choose a policy that reflects their requirement to run a specific technology.

Below are screen shots that show how these audits are run with the NessusClient and Security Center on various systems with various types of installed anti-virus technology: 

Panda AV Running	Symantec AV Not Running	McAfee AV Running

To perform these checks you need to download the audit policy for your organization’s anti-virus technology and then configure your NessusClient or Security Center with a scan policy. Configure the scan policy to specify the particular anti-virus audit file and the credentials for the target systems. Keep in mind that multiple audit policies can be run within the same scan policy on both the NessusClient and the Security Center. This could allow you to customize a scan that not only performed a patch audit, but also checked configurations against Center for Internet Security settings as well as to look for your current anti-virus software all at the same time.

Compliance and Governance Reporting

There are many different regulations that require organizations to run anti-virus software. Large organizations may have different technologies deployed in different locations, business units or IT assets. In these cases, tools like the Security Center help to perform a consistent audit against different components of the enterprise. This also makes it easier to identify enterprise-wide issues with the overall anti-virus deployment.

The following compliance standards specifically require anti-virus deployment and directly state that organizations need to demonstrate compliance with these requirements:

• PCI DSS is the most common commercial regulation that mandates anti-virus software on all systems that process cardholder data. Section 5.1 requires anti-virus to be deployed on all systems and section 5.2 requires that these systems be monitored to verify that they are running and generating logs. These new anti-virus audit policies make it very easy to demonstrate compliance with PCI DSS anti-virus reporting requirements. If the scans performing these audits are part of your daily or weekly operations, non-compliant systems can be detected very quickly.
• GLBA specifically states that remote users who commute over a VPN must have anti-virus protection installed. If these computers are part of a domain, they can be regularly scanned with credentialed checks with Nessus, even over a VPN.
• NIST special pub 800-53 (FISMA) section SI-3 specifically requires federal organizations to take measures to provide protection from malicious software. A comprehensive solution such as Tenable’s product suite can help demonstrate SI-3 compliance and also detect when zero-days and worms penetrate the anti-virus technology.
• COBIT section DS5.9 calls out a similar need for protecting the network from malicious software.
• NERC section R4 also calls for the use of anti-virus software on “critical cyber assets” used in the production of reliable electrical power.

Tenable offers the “Real-Time Compliance Monitoring” paper which provides much greater detail on how Tenable’s scanning, logging, configuration auditing and anomaly detection technologies map into the requirements of each of these regulations. We’ve also recently expanded and updated the coverage for PCI 1.2 in a separate “Real-Time PCI Compliance Monitoring” paper. Both of these can be requested from Tenable’s sales staff via email.

For More Information

Previous blogs on auditing anti-virus software with Nessus may be found at these links:

• Auditing Anti-virus Software without an Agent
• Auditing Anti-virus Software Products with Nessus

We have also talked about auditing the security of your anti-virus vendor, and how to analyze network traffic and logs to see if they have been targeted by botnets:

• Hunting Symantec Worms
• Detecting Compromised Windows Hosts

As always, if you want to learn more about Nessus and all of Tenable’s products and you don’t have a lot of time, we’ve prepared several informative product demonstration videos located at http://www.nessus.org/demos/.

Most enterprises are required  to run some sort of Anti-virus (AV) software on all or a portion of their desktops and servers and report on the status of the deployment. This blog entry discusses some of the limits of self-reporting within an anti-virus application and how Nessus can help you detect systems that are not AV compliant.

Self Reporting with Anti-Virus Software

Enterprise versions of most anti-virus software typically include a central management console that enables the organization  to track which systems have AV installed, the software version and the status of the AV signatures. What these products cannot do is tell administrators about the systems that it doesn't know about - those without AV installed at all.

From vendor to vendor, there is variation of the detection mechanism and how this information is reported. The central management console of each vendor may use different mechanisms to report if  the anti-virus agent software is installed, if it is running and when the last time it had a signature update. Not displaying all of this information can provide a false sense of security that a host is indeed protected by some form of AV. In addition, this type of technology only reports on AV agents from that specific vendor, ignoring mixed vendor environments.

Lastly, most anti-virus products can only report on systems they are installed on and not other nodes or systems in the network, which are not in the management system. Some agents do keep a list of Ethernet addresses that are unique, and then attempt to reconcile this list at the management console. This may help identify some nodes without anti-virus software, but it does not find all devices that have been filtered, are behind screening devices or that simply are not communicated with.

Performing an Audit with Nessus

Previous blog posts have discussed how a Nessus credentialed scan can be used to identify if common anti-virus software is installed, if it is running AND if their signatures are up to date. This blog was recently updated to reflect support for testing Sophos and Windows Live OneCare.

Clearly, there are several advantages to this approach.

• No need for an agent - Many  organizations wish to avoid  deploying more agents to their desktops and servers. Agent based solutions that can be used to audit installed software increase the complexity and potential attack space of a network. It also requires that third party visitors to the organization install an agent to ensure AV compliance. A Nessus credentialed audit does not require an agent to be installed on the target.
• Support for a heterogeneous environment Since Nessus is not dependent on a specific vendor's anti-virus technology, it can be used to identify deployed solutions in a multi-vendor environment, common to larger enterprises.
• Verification of signature updates - Nessus independently reports any discrepancies in signature updates, or if the anti-virus solution is installed, but not running.
• Validation of AV software - During the credentialed audit, Nessus will also test for the presence of anti-virus software that is vulnerable. There has been some discussion of this in recent blog postings about the increasing trend towards vulnerabilities contributed from anti-virus solutions. Nessus has checks for vulnerabilities in many host security agents including Symantec, Trend Micro, CA eTrust, Clam AV, NOD 32, Kaspersky, McAfee, F-PROT and Sophos.

Your organization is also likely deploying more than one technology (other than AV) to defeat the threat of virus outbreaks. Examples include system hardening, the use of desktop firewalls and having traffic flow through proxy servers. ProfessionalFeed users can make use of Nessus's ability to audit system configurations to ensure the following:

• The corporate authorized web browser is enabled and configured correctly
• Proxy settings are in effect to require web browsing to go through other forms of inspection
• The system itself has been hardened to limit the impact of a successful virus compromise
• The system is running the corporate standard(s) for Anti-virus software

For More Information

The following Tenable blog entries discuss virus discovery, anti-virus auditing and software discovery:

• Enterprise Software Discovery with Nessus
• Auditing Anti-Virus Products with Nessus
• Detecting Compromised Windows Hosts
• Boss, I think half of our FTP Servers are fake!

For credentialed scans of Windows systems, Nessus can detect the presence of many leading anti-virus solutions. This blog entry will discuss what sort of information can be reported, how this is relevant for compliance and vulnerability audits and the specific anti-virus solutions supported.

Auditing Anti-Virus Deployments

Nessus uses credentialed scans of Windows systems to audit the local files and registry settings to determine both the presence of an anti-virus solution, if it is indeed running and if it is up to date.

For supported anti-virus solutions, a separate Nessus plugin is used to specifically identify that software and determine if the signatures are up to date. At Tenable, our research group monitors vendor signature updates for each solution and then updates the corresponding Nessus plugin. To take advantage of this sort of auditing, your Nessus scanners should be subscribed for either the Registered Feed or the Direct Feed.

There are many reasons why an anti-virus solution can't receive an updated list of new signatures. Some of these could be due to licensing issues, expiring demos or even network connectivity issues such as DNS or firewall changes. In some cases, mal-ware or a new virus may have gotten into a system and explicitly attacked the existing anti-virus solution.

For IT organizations that wish to minimize complexity, detecting unauthorized anti-virus solutions present on the corporate network is very useful. Having multiple anti-virus solutions on one system can lead to performance, compatibility and stability issues.

Compliance and Vulnerability Auditing

For compliance, if an organization has selected one or more anti-virus solutions, being able to audit this with Nessus can prove to an auditor that a solution is indeed installed, in use and up to date. Residing solely on software enumeration won't let you know if an anti-virus has been installed, but has been disabled. It also won't let you know if the license or network connectivity is up to date.

Depending on the function of a system that is being scanned by Nessus, not having an anti-virus solution may be considered a vulnerability. Also, if it is assumed that a system is protected by an anti-virus solution, but in fact the solution isn't running, or does not have the latest signatures then it isn't really protected.

Detected Anti-Virus Applications

At the time of this writing, the following anti-virus solutions are detected as installed, running and up-to-date by Nessus:

• #24232 BitDefender Check
• #20284 Kaspersky Anti-Virus Check
• #12107 McAfee Anti Virus Check
• #21608 NOD32 Antivirus System Check
• #12106 Norton Anti Virus Check
• #12215 Sophos Anti Virus Check
• #20283 Panda Antivirus Check
• #21725 Symantec Anti Virus Corporate Edition Check
• #16192 Trend Micro Anti Virus Check
• #24344 Windows Live OneCare AntiVirus Check

Nessus also has plugin #16193 which aggregates the results from these other plugins. It is useful if you are in a multiple anti-virus solution environment and just want to find hosts that have a solution installed and operational.

The above plugins only report an issue if a problem is found with the detected anti-virus solution. Plugin #16193 reports if a system does have a known working anti-virus solution.

Additional Tenable Solutions

The Security Center can be used to aggregate scan results and place systems without anti-virus, or non-operating anti-virus solutions into a unique asset list. These lists can then be used for reporting, scanning, IDS event monitoring and anomaly detection with the understanding that systems without AV are more likely to become infected.

If the Passive Vulnerability Scanner is also in use, then the asset lists could be further qualified to only discover systems without anti-virus solutions that are browsing on the Internet. Windows systems that browse the Internet without some sort of anti-virus solution are may be more likely to become infected. The Passive Vulnerability Scanner also has the ability to monitor the update process for several different anti-virus solutions and identify them without the need for scanning.

For Additional Information

The following is a list of various white papers, Tenable blog posts and Nessus checks that relate to detecting both anti-virus solutions as well as virus infections: 

• The Antivirus Challenge (PDF)
• Hunting Symantec Worms (Blog Post)
• Detecting Compromised Windows Hosts Infected (Blog Post)
• #11329 The remote host is infected by a virus (Nessus Check)