# using nmap to scan for virus activity



## triumdh (Apr 28, 2012)

Hello forum,

We very successfully use FreeBSD 8.3 as our gateways at multiple locations. Currently our clients and servers run MS Windows (XP, 7, Server 2003). With over 500 client PC's we have tried using Trend Micro and Symantec Pro as the client ati-virus. Both have failed to stop infections (and yes, the definitions were up to date). The tipping point came two years ago when Symantec offered to remove a virus for a fee. We do not provide users with "admin" or "power user" privileges, so virus removal after an infection is very easy (malwarebytes).

We wanted a better solution. We now use the free "Microsoft Security Essentials" software and our infection rate is still about the same as using the other paid for solutions. My main concern is any information transmitted by a virus. Any ideas or thoughts on using nmap to look for PC's transmitting on non-standard ports. I would also like to hear how you are dealing with this issue. I would also add that we don't look for "free" software just the best solution.


----------



## shitson (Apr 28, 2012)

What ports do you allow clients to talk to the Internet on?


----------



## triumdh (Apr 28, 2012)

80
443
587
143


----------



## gkontos (Apr 28, 2012)

triumdh said:
			
		

> 80
> 443
> 587
> 143



In these kind*s* of situations, we don't allow any outbound Internet access to our clients and servers. 

a) Use a proxy server located in a DMZ to filter outbound web access
b) Use an email gateway located in a DMZ for inbound / outbound mail services.

Ideally, you could use an internal proxy which would allow connections to the DMZ proxy. Same goes for the mail gateway.

This way, you will perform all of your filtering on two devices. Since you don't really care if the solution is open source, you can find a lot of devices in the market designed exactly for this kind of job. 

Nmap would not be your tool in this case. Yes, you can discover open ports which would lead to possible infected servers. But you don't want to scan your network. Instead you want to "listen" to your network. A properly configured IDS device would give you some hints on possibly infected computers.


----------



## aa (Apr 28, 2012)

triumdh said:
			
		

> Hello forum,
> ...
> Any ideas or thoughts on using nmap to look for PC's transmitting on non-standard ports..



You seem to be misinformed about what nmap does. It's a network scanner, yes, but nothing like scanning viruses.


----------



## xibo (Apr 28, 2012)

Given these days the highest rate of infections will be inside of network environments that are NAT-ed to the internet, chances that a worm will open a port on the infected machine and a*s*sume to be scanned by an attacker are very low. A worm will instead most probably communicate to a remote host by acting as client to it, and transmitting the data to its port 80, eventually even with proper HTTP to run through proxies.

There are lists of known bad remote hosts as well as signatures of worm/trojan/malware/ traffic that are made public by security analyst*s* and used by IDS, which, as gkontos already said, will most probably be of more use to you then NMAP.


----------



## Beeblebrox (Apr 29, 2012)

@triumdh:
Have you tried identifying the source and the how of infections?
For example anyone can guess that at least 50% of infections are by e-mail. Since we assume you already have a mail server on your LAN and that desktops don't leave the LAN at all, that leaves the mobile PC's and others (tablets, hand-helds).
A break-down of the machines may shed some light into what types of devices are the source of the risk. Then you can further look at those specific devices to identify what it is they exactly do that places the network structure at risk. Finally you could create a separate network just for those "high-risk" devices/machines thereby segregating them from the secure network environment - a sort of "usual suspects" approach.


----------



## saxon3049 (Apr 29, 2012)

As Beeblebrox (great name by the way Zafod) said, I would at this point take a look for the initial source of the infection. For example do the users download attachments willy nillily, are you using a web browser with vulnerabilities, is java and flash up to date on all the clients (is it even needed is a better question), are the users using flash drives to pass round files?


----------



## throAU (Apr 30, 2012)

If you're running without mail scanning, all bets are off.  Ideally you want to do web-content scanning as well.

AS gkontos said, you need to filter these services at your network edge.

Presently, where I work we use Forefront on our Exchange server, and also a TMG firewall (In addition to a Cisco ASA, and pretty strict ACLs on our border router).  We've had maybe 1 malware instance (1 PC infected) in the past 18 months.

If you're looking for open source solutions, I'd be looking at ClamAV for your e-mail scanning, not sure what is available for inline web content scanning with squid (been a while since I've used it).


----------



## Beeblebrox (Apr 30, 2012)

@throAU: security/clamav does have several daemons for http scanning, daemon name depends on the proxy being used because the clamav daemons for such services (pop, http, etc) are a sub-process of the proxy engine and not of clamav its self (for squid it's squidclamav for example).

@saxon3049: Thanks for the compliment. When I first signed up, my signature was: "two heads are better than one", if you know what I mean...

@triumdh: http real-time scanning is very costly resource wise. It's simpler and cheaper to use ad-blockers and privacy tools (like privoxy). Plus your users in the LAN side are probably not surfing high-risk sites at work - specially if they know that the traffic is being logged. Your gateway can also prevent access to such sites through a blacklist.

If you have such a high infection rate, I strongly suspect that there is something else going on and that there is a design flaw in how you are protecting your LAN. You just don't get that many infections due to legitimate http traffic by pc clients.

Have a look here as well: http://forums.freebsd.org/showthread.php?t=29798


----------



## SirDice (Apr 30, 2012)

Beeblebrox said:
			
		

> If you have such a high infection rate, I strongly suspect that there is something else going on and that there is a design flaw in how you are protecting your LAN. You just don't get that many infections due to legitimate http traffic by pc clients.


In this case it's not a technical issue but one of attitude. Educate your users! Tell them what to look for and instead of running things they'll contact you when they find something that's out of the ordinary.

Lots of good things have been said already. Just make sure _none_ of your clients have a direct internet connection. Push _everything_ through proxies that can do content scanning.


----------



## triumdh (Apr 30, 2012)

Thanks for all the replies. We don't run an internal mail server and I would say that 99% of the virus activity is sourced from the Internet by bad browsing practices (although we did get one from a link on the Wall Street Journal website). Because of politics and the business we are in, we cannot blacklist/whitelist. The high risk machines are segmented by VLANs, but that just protects our servers, not any client information that may be leaked. Experience has shown (in our case), that virus detection based on definitions hasn't helped us that much.

What we were looking for was a signature that most virus share based on outgoing traffic. If it was up to me, I would lock them down with a whitelist but i don't have that option. We are running squid so at least have browsing history and traffic available after the fact but not the staff or time to go through it effectively. It seems nmap is not the way to go.

What about syslog-ng and Logzilla for real-time alerts? We would still have to know what to look for? Would it just be excessive outgoing traffic on port 80?


----------



## Beeblebrox (Apr 30, 2012)

> We don't run an internal mail server


Well, there's your problem: your LAN apparently has very loose morals.

Place a dedicated pop/imap proxy server and scan all mails before they get to client. You can even send a separate mail to the client advising them that mail addressed to them by <shmoe> was blocked because <virus-type> was detected.


----------



## saxon3049 (Apr 30, 2012)

What kind of business are you in if you can't white list or black list?


----------



## throAU (May 1, 2012)

SirDice said:
			
		

> In this case it's not a technical issue but one of attitude. Educate your users! Tell them what to look for and instead of running things they'll contact you when they find something that's out of the ordinary.



Now this does depends on your users, however in my experience (mining industry) educating them doesn't work.  User churn + lack of care ("IT is not my problem!" and "I'm bored on night-shift and want to download the Simpsons!") means that relying on them to do the right thing doesn't necessarily work.

Also, do you really want to leave your LAN client's security to your user's goodwill?

IMHO - be proactive:  set up blacklists on your web proxy, scan incoming web content if you have the resources to do so and definitely scan e-mail on the way in.

Do not allow connections directly out from your clients unless needed for a specific business task.  In most cases, the only external traffic they need is email and web - and this can be funneled through SQUID and your e-mail relay respectively.  Block everything else outbound unless there is a business case for it, and then allow those specific apps.


edit:
If your users require unfettered access to the internet to do their job, give them a tablet or some other device that is not connected to your LAN, or connected to a seperate "unsecure" network.

Open, unfiltered access to the internet and a secure LAN are diametrically opposed objectives, and you can't have both in the same network.


----------



## SirDice (May 1, 2012)

throAU said:
			
		

> Now this does depends on your users, however in my experience (mining industry) educating them doesn't work.  User churn + lack of care ("IT is not my problem!" and "I'm bored on night-shift and want to download the Simpsons!") means that relying on them to do the right thing doesn't necessarily work.
> 
> Also, do you really want to leave your LAN client's security to your user's goodwill?


I'm not saying you should depend on them, I'm just saying you should explain to them what to look for. Security is a layered approach and you should never forget that an informed user is a valuable one.

Sure, not all of them will be bothered. Some will continue to do stupid things. But if the majority uses a bit of common sense you will get a long way.

As for, "I want to download the Simpsons!", that's simple. Cover it with a usage policy. Fire anyone that doesn't stick to the rules.


----------



## triumdh (May 1, 2012)

Hello,



			
				aa said:
			
		

> You seem to be misinformed about what nmap does. It's a network scanner, yes, but nothing like scanning viruses.



The SANS Institute actually recommended NMAP for searching for the Conficker virus.

http://www.sans.org/security-resources/idfaq/detecting-conficker-nmap.php

Our mail server is hosted externally, runs SpamAssassin and is not responsible for over 99.9% of our virus activity.

My company has a business model, that I cannot change and requires open access to any website for certain clients on the WAN and also access to internal servers. I'm sure that when they do get hit by an almighty virus the business model may change. Until then I am trying to find the best solution.

Thank you all for your replies.


----------



## ChalkBored (May 2, 2012)

triumdh said:
			
		

> Hello,
> 
> 
> 
> The SANS Institute actually recommended NMAP for searching for the Conficker virus.



They're using NMAP to scan for vulnerable ports, then trying to exploit them in the same manner Conficker would have; except warning them if it worked, instead of installing the virus.


----------



## throAU (May 2, 2012)

SirDice said:
			
		

> As for, "I want to download the Simpsons!", that's simple. Cover it with a usage policy. Fire anyone that doesn't stick to the rules.



It's already in our usage policy, unfortunately IT doesn't have the authority to fire.  Also, middle management / upper management are the worst offenders.

When caught out they get a "don't do that" and that's the end of it.

Seriously, we had a plant maintenance manager download the X-Files DVD boxed set over satellite in Kazakhstan a few years back, killing the WAN for everyone on site until it was detected/stopped, and racking up a few grand in data.

End result?  I think he owed the site manager a carton (of beer - I'm an Aussie working for an Australian company).

Maybe it's just Australia (mining industry in particular) - over here you can screw up in the most horrendous fashion and the typical restitution is a carton (e.g., 5-10k in light vehicle damage = carton, etc).

edit:
OP - if *I* was in your situation, I'd buy a Cisco ASA (or load balanced array, etc depending on network size), put it in front of your network and just turn on the malware scanning and traffic normalization for incoming SMTP, HTTP, etc.  They'll still have open access to the web, but malware will be filtered (as will attempted protocol DOS attacks on your servers, etc). 

It's a well known company, the gear works and they'll be able to get support on it from anyone who deals with Cisco gear.

NMAP will help you find non-standard port usage, sure - but it won't prevent the infection.

Also - if you have an enterprise grade router (Cisco, Juniper, etc) turn on netflow and export the traffic flow stats to a netflow collector.  This will give you protocol stats and enable you to pinpoint where your traffic is being generated from and what is doing it a lot better.


----------



## Anonymous (May 28, 2012)

> "to look for PC's transmitting on non-standard ports."


 Why? *A*re you looking for Firefox, IE, or Chrome? You*r* lack of basic networking knowledge must mean you lied on your resume to get that job.

And do you honestly think that if there were some 100% solution to this kind of problem that malware would still exist? All of the responses you got were people explaining the most fundamental security concepts that a simple Google search would tell you.


----------



## rden (Jun 24, 2012)

*virus or tightass*



			
				mharvey87 said:
			
		

> to look for PC's transmitting on non-standard ports (and other snippets)



If you want a way to block [torrent] downloads just say so - you will get much better answers if you were honest :OO; no wonder you are not concerned about separate email servers etc.

(For those that don't know technologically Australia is still very backwards, internet is still hugely overpriced and volume metered.  (Worst part is the aussies think that is normal, ignorance may be bliss for some, but massive profits for others.))


----------

