Preface on Sub-Controls 8.2, 8.4, and 8.5

Malicious software, commonly known as malware, is any software that can attack your systems or data. The majority of malware is designed to be fast moving, and is typically identified by general terms such as worms, viruses, trojans, adware, rootkits, and spyware. Malware can be something simple and annoying, like adware, or can be a complex application that steals data, deletes documents, or installs unwanted software without the user's knowledge.

For CIS Control 8, Tenable products allow the security operations teams to use Tenable Security Center Continuous View to analyze endpoints for malicious file detection. As an example, Nessus detects potentially unwanted files on a remote host utilizing the built in malicious file detection ability. Using a credentialed Nessus scan, hash files are compared against known malware signatures cataloged by major antivirus vendors. A report then shows which anti-virus vendor considers the file to be malicious. Security teams may find this information, along with data derived from the following plugins, useful in detecting malicious applications:

  • 88963 Malicious File Detection

  • 59275 Malicious Process Detection

  • 59641 Unwanted Software Detection

Additionally, Tenable Security Center has the CIS Control 8: Malware Defenses dashboard, which contains components that provide information and report on enforcing anti-virus (AV) deployments, disabling Auto Run, and automating AV scans. In this dashboard, Tenable Security Center shows all systems with Auto Run settings enabled, the AV status, and many other parameters described throughout all sub controls. Using Tenable Security Center, customers from all IG’s can effectively track and report on sub controls 8.1, 8.2, and 8.5.

For more information about the CIS Control 8 dashboard, see CIS Control 8: Malware Defenses.

Solely relying on software enumeration does not always indicate that an antivirus solution is installed. Not having a functioning antivirus application installed on endpoints could pose a danger to the organization. Tenable has a number of plugins that check for antivirus solutions:

  • 24232 BitDefender Check

  • 20284 Kaspersky Anti-Virus Check

  • 12107 McAfee Anti Virus Check

  • And more

Additionally, plugin 16193 Antivirus Software Check aggregates the results from other plugins if multiple applications are installed. Plugin 16193 also reports hosts that do not have an antivirus solution installed. Output from the plugin shows anti-malware products, versions of the signature files, and information regarding if the signatures are out of date. This helps organizations meet sub-control 8.2.