Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SYMANTEC AV AUDITS

from [John Scherff] Network Security [Permanent Link]
Subject: Re: SYMANTEC AV AUDITS
Date: Wed, 25 Apr 2007 08:37:14 -0700 
Maybe I can "trick" nessus into treating the def version like a dword and use a 
range there.  I'll let you know.

-----Original Message-----
From: Ron Gula <rgula@tenablesecurity.com>
To: John Scherff
CC: nessus@list.nessus.org <nessus@list.nessus.org>
Sent: Wed Apr 25 08:30:11 2007
Subject: Re: SYMANTEC AV AUDITS

John Scherff wrote:

QUESTION: Can wildcards or ranges be used for text values in
REGISTRY_SETTING audits?


This is currently not supported.


I recently used Nessus compliance auditing to check for the presence of
four critical Symantec AV services on all systems.  (See first four
items in Listing 1.)  It works great.  


Excellent. Thanks for posting for other users to see.


Then I wrote an audit rule to check for the version of SAV running on
the host and the version of AV signatures installed.  (See last two
items in Listing 1.)  Prior to running the scan, I use sed to replace
the placeholders savVersion and defVersion.  I get the latest def
version from the Symantec web site using a rather clunky script I wrote
(see excerpt in Listing 2).  This also works great.


Also excellent. I'd also like to point out this blog entry we wrote a
while back which details how virus auditing is performed by Nessus:

http://blog.tenablesecurity.com/2007/02/auditing_antivi.html


Unfortunately, I found that there are many slightly different, but
recent, versions of the SAV client running on our systems. I also found
that most clients are using virus signatures that are one or two days
older than the most recent one (probably due to the centralized nature
of our malware management architecture.)
 
SO... 
 
What I need is to be able to specify a range of valid virus definitions
(e.g., the last three) and a range or wildcard value for valid software
versions.  The nessus compliance audit documentation doesn't mention the
ability to do this.
 
Is it possible?
 


Right now, functionality like:

reg_item: "20070411" | "20070412" | "20070413"

isn't part of the Windows Compliance Checks. The UNIX side has an "if"
set of statements, but this isn't available on the Windows side (yet).

I'd rather point you to the raw NASL for the auditing virus deployments
like I outlined in the above blog.

Ron Gula, CTO
Tenable Network Security










_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SYMANTEC AV AUDITS, John Scherff
Next by Date:  Missing plugins from all-2.0.tar.gz, Justin Folkerts
Previous by Thread:  Re: SYMANTEC AV AUDITS, John Scherff
Next by Thread:  Re: SYMANTEC AV AUDITS, Nicolas Pouvesle
Indexes:  [Date] [Thread] [Top] [All Lists]