Malware Detection CSV Reports

The following CSV (comma-separated value) reports (see attached zip file) can be run within SecurityCenter to provide malware detection. These reports make use of vulnerability data from Nessus scans, PVS detections, and event data from the LCE. (For details on configuring Nessus scans for malware detection, see here.)

 

Hosts with Malware Detected by Nessus/PVS

This CSV report lists all vulnerabilities detected by the “Backdoors” family of plugins for both Nessus and PVS. For each vulnerability, the report presents the plugin that detected it and the host on which it was found. In SecurityCenter, look up plugin details by plugin ID to obtain remediation suggestions.

 

Hosts with Malware Detected by Other Applications (Last 72 Hours)

This CSV report lists all events of type “virus” that have occurred in the last 72 hours; these events were reported by various applications and collected by the LCE. The report presents details for each event, including the IP address of the affected host. (Note that if there are no such events, an error status will be shown for the report result and no report will be generated.)

 

Hosts Interacting with Known Botnet

This CSV report lists all detections by Nessus plugins 52699 (Host Listed in Known Bot Database), 58429 (DNS Server Listed in Known Bot Database), and 58430 (Active Outbound Connection to Host Listed in Known Bot Database). These detections show internal hosts interacting with a known botnet, which might indicate that the hosts are infected with malware. For each detection, the report presents plugin details and host information. In SecurityCenter, look up plugin details by plugin ID to obtain remediation suggestions.

 

Hosts Interacting with Threatlist (Last 72 Hours)

This CSV report lists all outbound events of type “threatlist” that have occurred in the last 72 hours. These events show internal hosts connecting to threatlisted IP addresses or domains, which might indicate that the hosts are infected with malware. The report presents details for each event, including source and destination IP addresses. (Note that if there are no such events, an error status will be shown for the report result and no report will be generated.)

 

Hosts with Malicious Running Processes (Windows Only)

Windows hosts only: This CSV report lists all vulnerabilities detected by Nessus plugin 59275 (Malicious Process Detection). For each detection, the report presents plugin details and host information. The Plugin Text field gives details on the specific malicious processes that were found. For remediation, uninstall the indicated software and investigate the network for further signs of a breach.

 

The following *nix command can be run at the command line to display more readable output:

 

grep -oE '("[0-9]+"(,"[^"]+"){4})|(^File Path.*$)' <report.csv> | sed 's/File Path.*: / /'

 

Hosts with Suspicious Running Processes (Windows Only)

Windows hosts only: This CSV report lists all detections by the Nessus “Malicious Process Detection” plugins (not including plugin 65548, User-Defined Malware Running). This includes detection of potentially unwanted processes and other possibly malicious processes. For each detection, the report presents plugin details and host information. The Plugin Text field gives details on the specific malicious processes that were found. Verify that each of the processes is legitimate and authorized; if not, follow the remediation suggestions in the Solution field.

 

The following *nix command can be run at the command line to display more readable output:

 

grep -oE '("[0-9]+"(,"[^"]+"){4})|(^File Path.*$)' <report.csv> | sed 's/File Path.*: / /'

 

Hosts with Unknown Running Processes (Windows Only)

Windows hosts only: This CSV report lists all detections by Nessus plugin 70768 (Unknown Processes). For each detection, the report presents plugin details and host information. The Plugin Text field gives details on the specific processes that were found. Verify that each of the processes is legitimate and authorized.

 

The following *nix command can be run at the command line to display more readable output:

 

grep -oE '("[0-9]+"(,"[^"]+"){4})|(^[0-9]+\. .+$)' <report.csv> | sed -E 's/[0-9]+\. / /'

 

The following *nix command can be run at the command line to display a list of all unknown running processes on the network, with counts of occurrences (processes only running on a few machines may be more suspect):

 

grep -oE '^[0-9]+\. .+$' <report.csv> | sed -E 's/[0-9]+\. //' | sort -f | uniq -ic | sort -nr

 

Web Servers Hosting Sites with Malicious Content

This CSV report lists all detections by Nessus plugins 71024 (Web Site Hosting Malicious Binaries), 52670 (Web Site Links to Malicious Content), and 29871 (Web Server Malicious Javascript Link Detection). These detections show web servers hosting sites with malicious content, which might indicate that the servers have been compromised. For each detection, the report presents plugin details and host information; note that some of these web-servers may be third-party. In SecurityCenter, look up plugin details by plugin ID to obtain remediation suggestions, so that visitors to the sites will not be infected.

 

List of Installed Software

This CSV report lists all installed software detected on the network hosts. Verify that all the software in this list is legitimate and authorized. Software that only appears on a few machines may be more suspect. Note that applications that are no longer installed may still be listed in this report, due to detection of traces left behind by uninstallers or by manual removal of application files.

 

List of Running Services

This CSV report lists all running services detected on the network hosts. Verify that all the services in this list are legitimate and authorized. Services only running on a few machines may be more suspect.