Fast Malware Scan

The most important commands are on the left-hand side of the window: New Scan and My Scans . We were a bit nervous about the outcome of the test – how would our Windows Server 2012 R2 domain controller with its Exchange 2013 installation fare in the security scan of our lab environment? Pressing New Scan told the software to open a menu with a total of 15 different scans from a library in our browser.

Some tests, including Audit Cloud Infrastructure, Mobile Device Scan, Offline Config Audit, Policy Compliance Auditing, and SCAP Compliance Audit, require you to have a subscription, so they were not available for the trial version. This just left us with Credentialed Patch Audit, GHOST (glibc) Detection, Web Application Tests, Bash Shellshock Detection, the free Advanced Scan, the Basic Network Scan, and the Windows Malware Scan. We went for the latter, defining our Windows test server as the target.

For the initial test, we had very little to fill out: define the name, enter a description, specify the folder (I chose My Scans), and define the target. As the targets we entered our server's IP address – at the time, the server was accessible on the local network with its Windows Firewall disabled. However, you can also enter IP address ranges or hostnames in this input box. Pressing Save threw an error message, because we needed to enter credentials for Windows. If that is going to boost our security, why not?

In the dialog window (Figure 1), we could check a couple of additional parameters, such as Never send credentials in the clear and Do not use NTLMv1 authentication . Thank goodness. After all, it is definitely not a good idea to publish the domain password for any old scanner to sniff. After pressing Save again, the scan launched, and we saw the first results coming in just a minute later.

Figure 1: For a malware scan on Windows machines, you need to enter administrative account credentials.

Surprisingly, the scan completed quickly. A (1) to the right of My Scans indicated some reading material waiting for us. One mouse click later, we were reading an overview of the scan, and the predominant color soon calmed our nerves: Everything was blue, which denotes informative, rather than critical, errors. Nessus v6 drew our attention to an overview of all the running processes on our Windows test server, with a tree structure of the subprocesses. The explanation said this report is simply an overview of the processes active at the time of the scan for forensic investigations.

A second piece of information is simply a CSV-formatted list of the loaded modules. In other words, Nessus v6 found that everything was okay, even though Windows Firewall was disabled on the server. That said, this is a "Malware Scan," and our machine is not infected according to the local antivirus program either. Somewhat farther down in the settings for the Windows Malware Scan, we found some really exciting extensions for the test. Administrators can add MD5 hash values for potentially dangerous files, but also hash values for files that are guaranteed to be harmless. Also, a "Host file whitelist" lets you exclude known files from a scan.

Old Is Not Always Bad

For our next test, we chose the Basic Network Scan for the complete IP segment 192.168.1.0/24 . After the scan started, it took far longer for Nessus to come back with its results this time. No fewer than 21 minutes later, the scanner presented the results after testing a total of eight devices on our lab network (Figure 2). We were fairly surprised about the total 109 vulnerabilities and four recommendations.

Figure 2: The results of a simple network scan by Nessus reveal some room for improvement.

The large number of issues were related to an obsolete MacBook running OS X 10.5.1. But, instead of providing a detailed list of all the potentially endangered applications and Unix daemons on the MacBook, Nessus took the easy exit and simply reported that all versions below 10.10 are insecure (Figure 3). The CVSS (Common Vulnerability Scoring System) Base Score was 10.0 – that is, the maximum. In other words, it would be insufficient to update the device to the maximum 10.5.8 level, because it would still be considered insecure by Nessus. This made us wonder whether the results might be motivated by an Apple sales strategy.

Figure 3: Nessus took an easy exit after assessing an OS X computer as critical. Any Mac without the current OS X is classified as endangered.

Our ZyXEL switch on the network just about passed the test, with Nessus correctly complaining about the device responding to the default SNMP Community Strings public and private in its environment. The tests revealed a total of eight open ports on the switch; administrators would do well to consider whether they really need all of these. That said, Nessus classifies the open ports as a low risk. The previously malware-checked Windows Server 2012 R2 also showed a red card because Vulnerabilities in SChannel can lead to remote code execution (MS14-066) . Our self-signed SSL certificate was classified as medium risk, and a total of 21 open ports were again only classified as low risks.

For our next test, we pointed Nessus at what is guaranteed to be a vulnerable virtual machine. Metasploit, an open source project for computer security – which offers information on vulnerabilities and is used to develop IDS signatures for penetration tests – offers a virtual machine based on Linux with a number of misconfigurations and unprotected features. As you would expect, Nessus v6 again discovered a large number of vulnerabilities and listed them accordingly.

Conclusions

No administrator has the time or inclination always to trigger and evaluate security tests manually. As you might expect, Nessus v6 offers a scheduler for scans that you have defined, as well as email notification of the results. If you want to perform security audits automatically and regularly, this is the perfect choice of software.

If you want to know whether your devices and servers are secure and do not want to rely on an external IT security professional to do so, Nessus v6 will show you after just a couple of minutes which controls your IT staff need to tweak to boost security in the data center and on the network. Table 2 summarizes our evaluation of Tenable Nessus v6.