QUESTION 2: Alternatively, is there a way to put the version information
in the KB without generating an alert, and then get at the data and
analyze it with a custom NASL plugin?
________________________________
From: John Scherff
Sent: Tuesday, April 24, 2007 11:02 AM
To: [email protected]
Subject: SYMANTEC AV AUDITS
QUESTION: Can wildcards or ranges be used for text values in
REGISTRY_SETTING audits?
I recently used Nessus compliance auditing to check for the
presence of four critical Symantec AV services on all systems. (See
first four items in Listing 1.) It works great.
Then I wrote an audit rule to check for the version of SAV
running on the host and the version of AV signatures installed. (See
last two items in Listing 1.) Prior to running the scan, I use sed to
replace the placeholders savVersion and defVersion. I get the latest
def version from the Symantec web site using a rather clunky script I
wrote (see excerpt in Listing 2). This also works great.
Unfortunately, I found that there are many slightly different,
but recent, versions of the SAV client running on our systems. I also
found that most clients are using virus signatures that are one or two
days older than the most recent one (probably due to the centralized
nature of our malware management architecture.)
SO...
What I need is to be able to specify a range of valid virus
definitions (e.g., the last three) and a range or wildcard value for
valid software versions. The nessus compliance audit documentation
doesn't mention the ability to do this.
Is it possible?
R/ John Scherff
Sr. IT Security Engineer
24 Hour Fitness
LISTING 1
<check_type: "Windows">
<group_policy: "Tenable Audit file">
<custom_item>
type: SERVICE_POLICY
description: "Symantec Antivirus service (Symantec Antivirus)"
value_type: SERVICE_SET
value_data: "Automatic"
service_name: "Symantec Antivirus"
</item>
<custom_item>
type: SERVICE_POLICY
description: "Symantec virus definition monitoring and
maintenance service (DefWatch)"
value_type: SERVICE_SET
value_data: "Automatic"
service_name: "DefWatch"
</item>
<custom_item>
type: SERVICE_POLICY
description: "Symantec event propagation and logging service
(ccEvtMgr)"
value_type: SERVICE_SET
value_data: "Automatic"
service_name: "ccEvtMgr"
</item>
<custom_item>
type: SERVICE_POLICY
description: "Symantec settings storage and management service
(ccSetMgr)"
value_type: SERVICE_SET
value_data: "Automatic"
service_name: "ccSetMgr"
</item>
<custom_item>
type: REGISTRY_SETTING
description: "Symantec Antivirus Software Version"
value_type: POLICY_TEXT
value_data: "savVersion"
reg_key: "HKLM\SOFTWARE\Intel\DLLUsage\VP6"
reg_item: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
</item>
<custom_item>
type: REGISTRY_SETTING
description: "Symantec Antivirus Definitions Version"
value_type: POLICY_TEXT
value_data:
"C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\defVersion"
reg_key: "HKLM\SOFTWARE\Symantec\SharedDefs"
reg_item: "DEFWATCH_10"
</item>
</group_policy>
</check_type>
LISTING 2
defVersion=`wget -qO - http://definitions.symantec.com/defs/
<http://definitions.symantec.com/defs/> |
egrep -o '[0-9]{8}-[0-9]{3}-i32' | cut -c1-12 | sort -u | tail
-1 | tr - .`
sed 's!defVersion!'$defVersion'!' \
Win32_SAV.audit > /tmp/scanPolicy.$$
sed 's!^\( Windows Compliance .*1 : =
\)$!\1'/tmp/scanPolicy.$$'!' \
$scanConfig > /tmp/scanConfig.$$
NessusClient -c /tmp/scanConfig.$$ -T nbe -xq $scanHost \
$scanPort $scanUser $scanPass $scanTarget $scanResult
rm -f /tmp/*.$$
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
