Tag Archives: Malware

Finding Known Evil With Nessus – Part 2

This post is a continuation of my earlier post about finding known bad process with Nessus vulnerability scans. In this post I will share my experience after I finished running my first scan using this new scan policy.

Unlike the regular vulnerability scans, the duration for this scan was much less. The reason for this was because the scan policy consisted of only selected plugins. However, even with only selected plugins, the scan results were very comprehensive.

First, the scan result show the MD5 hash of the suspicious process. Now you can take this MD5 hash and search sites like VirusTotal but on the scan results page you will find a direct link to a Tenable website that will provide additional information about the suspicious process. This information is similar to what you would find on VirusTotal but with little less information. In my case I still searched VirusTotal for more detailed information.

Second, the scan result show the path of where the suspicious process in located on the target system. Obviously, this is great because now you don’t have to search the system and locate the executable in question. But what’s even better is that the scan results even show all the instances of that suspicious process that the scan found. For example, in my test scan the same suspicious process was located under numerous user profiles.

With the above information in hand, you can quickly develop you indicators of compromise (IOCs) and begin your investigation. My initial step was to review all the processes on my target machine and identity the process ID (PID) of the executable that the scanner identified. From here you can look at all the network connections related to this process, the system handles, any additional sub-processes, etc.

Overall, I am satisfied with what I have seen so far. I think that it is great that Tenable has incorporated these checks because in my option it makes perfect sense to check for known bad stuff during the time that you have already allocated for vulnerability scans. However, I would recommend that you separate your suspicious process and vulnerability data because do you not want to alarm the system owners without properly doing your own investigation. The easiest way to do this is by creating two different repositories and then drafting different reports/dashboards from each of those repositories.

My final comment is that if you have Nessus (I used SecurityCenter); please try to run this scan with the new scan policy. You can find the link to download this scan policy in my first post. Let me know what you guys think!

Advertisements
Tagged , ,

Finding Known Evil With Nessus

When is comes to performing vulnerability assessments, Nessus is by far the industry leader.  Nessus is known as “world’s best vulnerability management tool” and I think the reason for this is because of the continuous research the Nessus team does around new vulnerabilities and push them out to their customers in a timely manner. If you are not families with Nessus here is a very high level overview – Nessus uses “plugins” which simply put are scripts that run on the target hosts to see if it meets the criteria for a certain vulnerability. And as new plugins get pushed to customers the old plugins also get updated daily.

I have been using Nessus for sometime now and I have been very pleased with their level of commitment and excellent support. And recently as I was going through their blogs, I came across an interesting post regarding finding malware through Nessus scans. I found this interesting for two reason: first because I had not tried this before and second because as a security professional its better if you find evil in your environment before it gets reported to you.

The process for running malware scan is same as running the normal vulnerability scan. You just need to make sure that you select the appropriate plugins in your scan policy and use credentials that have administrative privileges on the target system. The following blog post lists the default plugin you can use to get started with malware scans – a sample scan policy is available for you to download which you can simply upload in your scanner and run the scan. This blog post also contains links to other related posts that talk about additional plugins that you can enable in your scan policy.

I have not had the chance to run this scan however, I plan to give this a try this coming week using the sample scan policy. I will write a follow up post to share my experience.

Tagged , ,