#7 Nessus Versus Malware - Top Ten Things You Didn't Know About Nessus
Nessus has several different plugins and techniques for helping you with the fight against malware. The video below is part 7 in our series of the top ten things you didn't know about Nessus and covers 3 different ways Nessus can be used to help detect malware:
Below are a few more examples of how Nessus can detect malware:
1. Nessus Network Checks
Nessus plugins in the "Backdoor" plugin family detect certain types of generic behavior on listening services that are indicative of malware. For example, plugin #35322 detects the presence of an HTTP backdoor. Nessus detects the web server remotely and identifies a condition where the web server, regardless of the request, returns a Windows executable:
Conficker and the Downadup worm used this method to propagate. This is a sure fire indication that the host has been compromised.
Nessus can also detect if one of your web sites is hosting malicious JavaScript. In this condition, two things are being detected: 1) The fact that your web site is vulnerable in some way which allows attackers to modify the content and 2) Clients going to the web site will likely get infected via the JavaScript code:
The Lizamoon malware used this method to propagate.
2. Nessus Credentialed Plugin Checks
Nessus will use credentials to login to a system, on a Windows platform for example, and search the registry and file system for indications of well-known malware:
Most strains of Zeus/Zbot can be detected in this manner.
A separate plugin (id 23910) can look at your system and identify if the Windows hosts file has been tampered with:
Some malware will add entries to this file forcing entries to anti-virus software companies update servers to somewhere else.
Nessus will also check that any target IP address or host name is part of a known botnet. This check is performed against each target, and the known botnet hosts list is updated regularly via plugin updates and pulls from multiple sources.
Nessus contains information about anti-virus software and identifies hosts with no anti-virus software installed, outdated anti-virus software installed, and definitions that are out-of-date.
3. Nessus Configuration Auditing Checks
Using configuration auditing Nessus can dig deeper into your systems and detect malware infections such as the Duqu virus and more!
In addition to detecting the presence of anti-virus software that is contained in the plugins, audit files can tell you more information about your anti-virus installations, such as if the anti-virus software is set to start on boot.
Stay tuned for the next video in our series which will cover scanning IPv6 hosts!
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Nessus