We have been using OpenVAS for years now. The host where it runs is within our Azure network, where it is subject to Microsoft Defender for Cloud scans itself.
Defender has identified a couple of hacktools on the OpenVAS host:
Impacket
ZkarletFlash
PWDump
Impntlmdmp
Imgepesz
They are marked as malware (Agentless). Nevertheless, they seem to be there as part of the OpenVAS deployment/update.
Is this something to worry about? How can I be sure these tools are harmless? Is there any reference to an evidence that these alleged malwares are part of the vulnerability scanning tasks done by OpenVAS itself?
Our Greenbone Security Assistant version is 23.3.0
Thank you
Impacket is a dependency for openvas-scanner. It’s not malware per say, it’s a security tool that is often used by hackers for cyber attacks. I don’t believe the other items on the list are part of Greenbone. If you are running Greenbone on Kali Linux, maybe these tools are also installed by default, or have been installed for some other reason.
Thank you for confirming the Impaket dependency.
As of the others, they must have come with the OpenVAS/Greenbone solution, otherwise the system is compromised.
We used this source to deploy Greenbone: Greenbone Community Containers - Greenbone Community Documentation
We are on Ubuntu 22.04 LTS.
There is always the possibility of a false positive from Windows Defender, or there is some code shared between these other “hacktools”. You would have to investigate further.
That is just the IP packet that is misinterpreted as false positive from defender known to raise false positives. There is nothing we can do about, but you can whitelist the IP of the scanner.
GVM has to check if your system is vulnerable that exactly this tools exploit, so a false positive is immanent. If you do real checks and not a checklist vulnerability test that will always happen if you has such a AV/IDS/IPS system in place.
