We do monthly scans of our network using OpenVAS. Either OpenVAS changed the way it’s scanning, or our antivirus vendor (Bitdefender) changed what they’re detecting because we’re getting a flood of Advanced Threat Control alerts when Openvas uses wmic to execute cmd.exe and pass control to powershell.
Here is one example of a command that is triggering:
Naturally, we don’t want to disable Advanced Threat detection in our antivirus tool - and we don’t want to stop scanning our network for vulnerabilities. However, if we can’t get these 2 products to play nice, we’ll have to replace one or both of them.
Is there a simpler way for OpenVAS to look for these vulnerabilities, rather than using WMI to chain to cmd.exe and then run powershell?
Additionally - it looks like you’re trying to dump output to the ADMIN$ share - which isn’t going to work on some of our machines that have implemented stronger security settings.
Since your example references “WMI” and since we had similar problems with other antivirus vendors in the past, it is very likely that the BitDefender detections have changed.
We use Impacket for interoperability with Microsoft Windows systems. Threat actors have utilized Impacket in the past, however Impacket itself is not a malicious tool or software but can be used for legitimate purposes, such as administration or in our case, vulnerability and compliance tests, for example Log4j/Log4shell detections and CIS Microsoft IIS benchmarks.
We are currently investigating other technologies, for example agents, but this is a topic for the future and not an immediate solution.
The immediate options are to either add OpenVAS to an allow list (if supported by BitDefender), to disable the alerts at large and allow Impacket for at minimum the duration of scans, or to disable WMI tests in OpenVAS. Note that disabling WMI tests may significantly reduce vulnerability detections.
To disable WMI tests, clone the used scan config, edit the cloned scan config, go to the menu “Settings → Options for Local Security Checks”, check “Disable file search via WMI on Windows” and save. If warnings persist, you can also try disabling the corresponding setting “Disable the usage of win_cmd_exec for remote commands on Windows”.
This share is used by the previously mentioned Impacket toolkit internally, if this is a problem you could create a feature request at https://github.com/fortra/impacket/issues to see if a different approach can be implemented by the project.
Just as an extra note here, setting “Disable the usage of win_cmd_exec for remote commands on Windows” to true should prevent this issue, but multiple VTs will not run anymore.
So many nice responses from the community. Unfortunately, I can only mark one of them as the ‘solution’.
We haven’t reported the issue to Bitdefender yet, but we implemented a couple regex exceptions so that Bitdefender doesn’t alert on the cmd syntax used by impacket.
AFAICT the usage of Impacket will increase in the future so disabling the previously mentioned option(s) should be only seen as a last resort as the production detection coverage will decrease constantly over time otherwise.
I’m happy to share what we changed. For Bitdefender’s Advanced Threat Control module, we exempted command lines that matched either of 2 regex expressions:
Well those regex exceptions aren’t working anymore. I don’t know if Bitdefender is being more picky or if Impacket is changing to do a lot more with cmd.exe executions of powershell. Whichever product is changing, it’s going to be impossible to get these two products to work together. We’ve added 5 regex exceptions to Bitdefender using wildcards and we’re still finding problems where Bitdefender alerts on the suspicious activity. We certainly don’t want to allow Bitdefender to allow just any powershell commands.
In all likelihood, OpenVAS isn’t going to work for us anymore. The powershell commands look too much like we’ve had a breach in security. We are looking at other options for detecting vulnerabilities.