OpenVAS triggering Advanced Threat Control in BitDefender antivirus

We do monthly scans of our network using OpenVAS. Either OpenVAS changed the way it’s scanning, or our antivirus vendor (Bitdefender) changed what they’re detecting because we’re getting a flood of Advanced Threat Control alerts when Openvas uses wmic to execute cmd.exe and pass control to powershell.

Here is one example of a command that is triggering:

"C:\Windows\System32\cmd.exe" /Q /c powershell -Command " & {Get-WmiObject -ClassName CIM_DataFile -Filter \"FileName = 'zoom' AND Extension = 'exe'\" | Select-Object -Property Name, Version | ConvertTo-Csv -NoTypeInformation -Delimiter ';' | Select-Object -Skip 1}" 1> \\127.0.0.1\ADMIN$\__1740499718.6143084 2>&1

Naturally, we don’t want to disable Advanced Threat detection in our antivirus tool - and we don’t want to stop scanning our network for vulnerabilities. However, if we can’t get these 2 products to play nice, we’ll have to replace one or both of them.

Is there a simpler way for OpenVAS to look for these vulnerabilities, rather than using WMI to chain to cmd.exe and then run powershell?

Additionally - it looks like you’re trying to dump output to the ADMIN$ share - which isn’t going to work on some of our machines that have implemented stronger security settings.

Since your example references “WMI” and since we had similar problems with other antivirus vendors in the past, it is very likely that the BitDefender detections have changed.

We use Impacket for interoperability with Microsoft Windows systems. Threat actors have utilized Impacket in the past, however Impacket itself is not a malicious tool or software but can be used for legitimate purposes, such as administration or in our case, vulnerability and compliance tests, for example Log4j/Log4shell detections and CIS Microsoft IIS benchmarks.

We are currently investigating other technologies, for example agents, but this is a topic for the future and not an immediate solution.

The immediate options are to either add OpenVAS to an allow list (if supported by BitDefender), to disable the alerts at large and allow Impacket for at minimum the duration of scans, or to disable WMI tests in OpenVAS. Note that disabling WMI tests may significantly reduce vulnerability detections.

To disable WMI tests, clone the used scan config, edit the cloned scan config, go to the menu “Settings → Options for Local Security Checks”, check “Disable file search via WMI on Windows” and save. If warnings persist, you can also try disabling the corresponding setting “Disable the usage of win_cmd_exec for remote commands on Windows”.

We also encourage you to report to BitDefender that vulnerability scanning and Impacket are legitimate uses and Impacket is not an exploit tool on it’s own. See the recommendations from CISA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA

4 Likes

On a related note to this:

This share is used by the previously mentioned Impacket toolkit internally, if this is a problem you could create a feature request at https://github.com/fortra/impacket/issues to see if a different approach can be implemented by the project.

2 Likes

Just as an extra note here, setting “Disable the usage of win_cmd_exec for remote commands on Windows” to true should prevent this issue, but multiple VTs will not run anymore.

2 Likes

So many nice responses from the community. Unfortunately, I can only mark one of them as the ‘solution’.

We haven’t reported the issue to Bitdefender yet, but we implemented a couple regex exceptions so that Bitdefender doesn’t alert on the cmd syntax used by impacket.

4 Likes

One additional note:

AFAICT the usage of Impacket will increase in the future so disabling the previously mentioned option(s) should be only seen as a last resort as the production detection coverage will decrease constantly over time otherwise.

1 Like

Maybe you could share those exceptions with the community. Guess others might have similar issues in the future.

2 Likes

I’m happy to share what we changed. For Bitdefender’s Advanced Threat Control module, we exempted command lines that matched either of 2 regex expressions:

  • To allow Impacket to get last boot time
"C:\\Windows\\System32\\cmd\.exe" \/Q \/c powershell -Command " & \{\[System\.Management\.ManagementDateTimeConverter\]::ToDmtfDateTime\(\(Get-CimInstance Win32_OperatingSystem\)\.LastBootUpTime\)\}" 1> \\\\127\.0\.0\.1\\ADMIN\$\\__([A-Za-z0-9]+(\.[A-Za-z0-9]+)+) <file://127/.0/.0/.1/ADMIN/$/__(%5bA-Za-z0-9%5d+(/.%5bA-Za-z0-9%5d+)+)>  2\>\&1
  • To allow Impacket to get applications and their version
"C:\\Windows\\System32\\cmd\.exe" \/Q \/c powershell -Command " & \{Get-WmiObject -ClassName CIM_DataFile -Filter \\"FileName = '[A-Za-z0-9]+' AND Extension = 'exe'\\" \| Select-Object -Property Name, Version \| ConvertTo-Csv -NoTypeInformation -Delimiter ';' \| Select-Object -Skip 1\}" 1\> \\\\127\.0\.0\.1\\ADMIN\$\\__[0-9]+\.[0-9]+.*

We’ll probably need to adapt this when we change antivirus products later this year.

4 Likes

Well those regex exceptions aren’t working anymore. I don’t know if Bitdefender is being more picky or if Impacket is changing to do a lot more with cmd.exe executions of powershell. Whichever product is changing, it’s going to be impossible to get these two products to work together. We’ve added 5 regex exceptions to Bitdefender using wildcards and we’re still finding problems where Bitdefender alerts on the suspicious activity. We certainly don’t want to allow Bitdefender to allow just any powershell commands.

In all likelihood, OpenVAS isn’t going to work for us anymore. The powershell commands look too much like we’ve had a breach in security. We are looking at other options for detecting vulnerabilities.