Port scanners provide a first step toward detecting and discovering the services and network applications listening on your network. When faced with an unknown computer, programs such as the free Foundstone SuperScan 4.0 and the open-source port scanner Nmap show you not only whether the typically used HTTP port TCP 80 is open, but also the response, or banner, of the listening application. I’m a huge fan of Nmap (see “Nmap 4.0 Does Windows,” InstantDoc ID 50062) and not just because of its scanning features: I like that Nmap runs from the command line and that its results come in a variety of formats, making the tool easy to incorporate into other scripts. In other words, Nmap is a great tool to integrate with all kinds of network-centric audits. Let’s look at how to leverage Nmap and its flexible output features to quickly determine whether antivirus software is installed on the computers within a subnet.
Antivirus Software and Nmap
Antivirus software is an essential foundation of any enterprise security program, whether installed at perimeter gateways, mail gateways, or mail servers. We’re going to focus on antivirus software installed on your client computers—the workstations and laptops your employees use every day. These systems are a likely first line of defense, especially laptops that employees use at home or at a hotspot to connect to networks outside your own.
Most enterprise antivirus software products include an administrative console to help manage the networked application as well as the alerts that clients generate. But the console might offer only limited support for ensuring that every workstation has an antivirus client installed. Some products include support for logon scripts, Web-based installation points, Active Directory (AD), or installers based on network neighborhood. However, what if you manage a cross-domain environment or need to check computers that aren’t installed in your primary domain? In these cases, the automated tools to discover missing clients might not work.
That’s where Nmap comes in. Because most enterprise antivirus clients listen on a network port to receive instructions from the master (i.e., parent) server, we can use Nmap’s port-scanning capabilities—in addition to our knowledge about our antivirus client—to definitively scan an entire subnet to find every device that’s not running antivirus software. Be aware, however, that this type of audit doesn’t determine whether a device's antivirus software is properly configured. For example, just because the client is installed (and listening on its network port) doesn’t guarantee that its antivirus signature definitions are up to date. But the audit will tell you which clients probably need additional investigation.
Before we get started, I’d like to point out some caveats with using this solution. We’re using a generic port scanner to scan a subnet to look for useful information—in this case, whether an antivirus client is listening. This works well with solutions such as Symantec Antivirus Corporate or Enterprise edition but might not work for every antivirus solution, especially ones designed for home use that might not actually listen on a particular port. Also, if you run a host-based firewall, your clients might block some of the scanning probes that Nmap uses. Finally, you’ll need to differentiate network devices, such as switches and routers, and computers running Linux or Mac OS X from your subnet scans since they will show up as not having the AV client installed.
Determining the Port that Your Antivirus Software Uses
After you have visited http://insecure.org and downloaded and installed the latest version of Nmap, the next step is to determine what network port your antivirus client uses. You can get this information from your vendor or the Internet—for example, the first result on a search for “Symantec antivirus network port” takes you to a Symantec knowledge base article, which informs you that the client/server communication port for general communication is TCP 2967. Another method for determining whether your antivirus client is listening on a network port is to run the command
on a Windows XP Service Pack 2 (SP2) computer that you know is running a functional version of the antivirus client.
The venerable netstat command shows you what ports are open on a single-host computer, and newer versions show you the process identifier (PID) and associated executable with the parameters -o and -b, respectively. When we run this command on an XP SP2 computer with Symantec AntiVirus 10.0 installed, we receive confirmation that rtvscan.exe (the actual name of the antivirus client program) is running on network port TCP 2967.
Next, construct the Nmap command with appropriate parameters to scan this port, assuming that if Nmap says the port is open, the antivirus client has been installed on the computer. Of course, every environment is different, so after you sweep your network, be sure to use other methods for verifying the results and remember that this method only checks whether a program is listening on the AV client port. It doesn't confirm the integrity of the installation. If Nmap returns any other result, the state of the antivirus client is unknown and you should investigate the client by using other techniques, such as logging onto the computer and confirming if the AV software is installed, remotely connecting to the computer and seeing if the AV service is running, or connecting to the AV management console and looking for any errors related to that particular client. Your best remediation method will vary depending on your environment and the AV product that you use. As we’re focused on using Nmap for just antivirus scanning, we want Nmap to be as fast as possible, so configure it to scan only the antivirus port:
nmap -p 2967 192.168.1.0/24
Some firewalls that block Internet Control Message Protocol (ICMP) will thwart the Nmap scan because Nmap believes the host is down and therefore doesn’t scan that host. You can use the -P0 parameter to tell Nmap not to ping test the host first, as follows:
nmap -p 2967 -P0 192.168.1.0/24
The scanning might be considerably slower, but your results will be more accurate.
Running Nmap in this manner quickly shows you all the systems running the antivirus client, but the output can be overwhelming and not exactly portable, as Figure 1 shows. Let’s use Nmap’s custom output features to trim the data to show exactly what we want.
Customizing the Output
You can use the -o\[output flag\] “filename” parameter to customize NMAP output. Nmap supports several output formats, and one of my favorites is XML (using the -oX \[filename\] parameter) because it’s fairly easy to transform the output into anything I can dream up. For very quick analysis, I like to use the -oG switch and run the output through grep—good for quickly trimming unnecessary data. Let’s look at piping the Nmap output to grep first:
nmap -p 2967 -P0 -oG - 192.168.0.0/24 | grep open
Note the extra hyphen in the Nmap command after the -oG parameter. This hyphen tells Nmap that you want to output the results to the STDIO instead of a file and lets you pipe the Nmap output straight into the grep command and look for all occurrences of the word “open.” This command shows all the hosts that are running antivirus clients, as Figure 2 shows. (I’ve edited the IP addresses to just the first two octets.)
A drawback to this quick-and-dirty parsing is that we actually need to run multiple filters to see all the output, because Nmap reports a port state as open, closed, or filtered, as Figure 2 shows. A port that is closed or filtered means that either the antivirus client is not turned on or a firewall is blocking the scan.
Robust Parameters and Flexible Output
Port scanners come in various shapes and sizes—from large, feature-packed GUI-based scanners to basic command-line scanners. Nmap provides robust input and output parameters, extending its functionality beyond simply identifying the ports open on an unknown server. Its flexible output makes it an ideal candidate for inclusion in your other scripts. In a future article, I’ll explore how to manipulate Nmap’s XML output to show the computers with antivirus clients installed and those without, using XML and a short Extensible Style Language Transformations (XSLT) file.