Detecting Out-of-Date Signatures
To identify plugins that detect outdated signatures, navigate to the Tenable Plugin Search page and use the Plugin Name filter to search for the terms “signature” and “antivirus”, as shown below:
Plugin ID 103569 Windows Defender Antimalware/Antivirus Signature Definition Check is one of the plugins that detect outdated signatures in the environment. Others include the following:
88932 AVG Internet Security Out-of-Date
24232 BitDefender Antivirus Detection and Status
100784 McAfee Antivirus Engine Out of Date
24344 Windows Live OneCare Antivirus Detection
12215 Sophos Anti-Virus Detection and Status
133963 Sophos Anti-Virus Detection and Status (Linux)
54846 Sophos Anti-Virus Detection and Status (Mac OS X)
Example Filter Query:
Scan data can be searched on Security Center or Tenable Vulnerability Management to identify outdated virus signatures. The following image provides an example of an Advanced query in from the Findings page in Tenable Vulnerability Management. This example demonstrates how a security analyst can drill into details using advanced filters to customize searches.
Step 1: Click on the Advanced button to enable editing of the conditions filter
Step 2: Modify the displayed search conditions to search for the desired text strings. In this example, the search was performed with the following filter:
State is equal to Active, Resurfaced, New AND Risk Modified is not equal to Accepted AND (Plugin Name is equal to *antivirus* OR Plugin Name is equal to *anti-virus*) AND (Plugin Name is equal to *outdated* OR Plugin Name is equal to *signature*)
For the conditions stated above:
State is set to Active, Resurfaced, and New, which eliminates any vulnerabilities that have been fixed.
Risk Modified is not equal to Accepted, which eliminates all vulnerabilities that have previously been accepted.
Plugin Name is equal to the text contained in Nessus plugins with the * being utilized as a wildcard. For example, *antivirus*, will match pluginID 16193 as the name contains the text.
Step 3: Click on the Apply button to begin the search.
This search detected output from Plugin ID 103569 Windows Defender Antimalware/Antivirus Signature Definition Check
Step 4: Click on the Asset Name or Plugin Name to drill into further details about the malware exposure, as shown below.
Malware continues to evolve and grow more sophisticated both in attack methods and measures to evade security controls. Tenable solutions also evolve to help organizations quickly identify the presence of hostile software and the effectiveness of antivirus and malware controls.