Forum Discussion
A Guide to Linux and MacOS Filesystem Malware Scanning in...
A Guide to Linux and MacOS Filesystem Malware Scanning in Tenable.io
Understanding File System Scanning for Malware
Tenable.io now has the ability to scan Linux and MacOS filesystems for malicious files. This allows organizations to detect malware that may have been deployed in their environment, even if that malware is not actively running or attempting to exploit assets.
Malware Scanning Tools in Tenable.io
There are four distinct plugins available for malware scanning:
- Linux Malicious File Detection (126258)
- Linux Malicious File Detection: User Defined Malware (126259)
- MacOS Malicious File Detection (126260)
- MacOS Malicious File Detection: User Defined Malware (126261)
Preferences for these plugins can be found in your scan policy configuration located under Assessments > Malware.
Users can provide text lists here for either known good or known bad file hash values, to increase the accuracy of a scan.
Users can also select predefined system file paths for more efficient or targeted scanning or common directories, as seen below:
Custom scan locations can also be specified by uploading a text file containing a directory list to the scan’s configuration.
Once the malware scan has been performed, infected hosts will appear in the scan results. This scan data can then be correlated and shared using the Malicious Code Prevention Report in Tenable.io.
Organizations that participate in information sharing groups like an ISAC can also use these reports to provide other members with relevant infection information without needing to give those other members access to their Tenable.io instance.
Target Release Date
Already Released
Additional Notes
This feature has already been released, however the purpose of this alert is to spread awareness of this feature.
Thank you to @Ryan Seguin for authoring this post.
__________________________________
Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.
