Comments on: What is a perimeter weakening malware?

By: Anonymous

Anonymous — Fri, 05 Dec 2008 05:53:35 +0000

What we do with Nessus is two things:

- Anyone with the free Home Feed or the commercial Professional Feed can audit their systems running common anti-virus solutions to see if they are installed, running and up to date.

- Commercial customers can also leverage the Professional Feed to run "audit" polices that make sure a system is running the exact authorized version of the corporate standard.

If malware has done something to a system to modify DNS tables, turn of AV services and so on, many of the checks that Nessus can perform will alert on this. We've blogged about this several times and give pretty detailed examples of these sorts of things.

By: Cd-MaN

Cd-MaN — Tue, 02 Dec 2008 14:19:11 +0000

My line of thinking was that there can be still some use to this (from a blackhat viewpoint), especially if the actions are not very intrusive (stopping the security software will probably be observed – creating a new administrative account – less likely).

Guarding against these changes has also the advantage that you have a better chance of observing when somebody (disgruntled admin?) tries to “backdoor” your systems from the inside.

By: kurt wismer

kurt wismer — Tue, 02 Dec 2008 05:17:57 +0000

i can see why it’s just a concept… it’s like opening a door and not stepping through… malware purveyors have to explicitly pass up the opportunity to own the box after stopping the security services, and passing up opportunities doesn’t sound like something they’re likely to do…