lynis
lynis copied to clipboard
Published
20 hours ago •
CISOfy
CISOfy
Malware scanner MDATP not recognized
Describe the bug Microsoft Defender ATP is not recognized (although previously fixed under issue #992 and PR #994)
Version
- Debian Bullseye
- Lynis version 3.0.8
Output
2022-08-14 22:57:56 Starting Lynis 3.0.8 with PID 624075, build date 2022-05-17
2022-08-14 22:57:56 ====
2022-08-14 22:57:56 ### 2007-2021, CISOfy - https://cisofy.com/lynis/ ###
2022-08-14 22:57:56 Checking permissions of /usr/share/lynis/include/profiles
2022-08-14 22:57:56 File permissions are OK
2022-08-14 22:57:56 Reading profile/configuration /etc/lynis/default.prf
2022-08-14 22:57:56 Action: created temporary file /tmp/lynis.ShJul38atZ
2022-08-14 22:57:56 Language set via profile to ''
2022-08-14 22:57:56 Plugin 'authentication' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'compliance' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'configuration' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'control-panels' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'crypto' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'dns' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'docker' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'file-integrity' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'file-systems' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'firewalls' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'forensics' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'hardware' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'intrusion-detection' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'intrusion-prevention' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'kernel' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'malware' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'memory' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'nginx' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'pam' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'processes' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'security-modules' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'software' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'system-integrity' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'systemd' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:56 Plugin 'users' enabled according profile (/etc/lynis/default.prf)
2022-08-14 22:57:57 Set option to default value: NTPD_ROLE --> client
2022-08-14 22:57:57 ====
2022-08-14 22:57:57 EOL check: 255
2022-08-14 22:57:57 Note: the end-of-life of 'Debian GNU/Linux 11 (bullseye)' could not be checked. Entry missing in software-eol.db?
2022-08-14 22:57:57 Program version: 3.0.8
2022-08-14 22:57:57 Operating system: Linux
2022-08-14 22:57:57 Operating system name: Debian
2022-08-14 22:57:57 Operating system version: 11
2022-08-14 22:57:57 Kernel version: 5.10.0
2022-08-14 22:57:57 Kernel version (full): 5.10.0-16-amd64
2022-08-14 22:57:57 Hardware platform: x86_64
2022-08-14 22:57:57 -----------------------------------------------------
2022-08-14 22:57:57 Hostname: REDACTED
2022-08-14 22:57:57 Auditor: [Not Specified]
2022-08-14 22:57:57 Profiles: /etc/lynis/default.prf
2022-08-14 22:57:57 Work directory: /tmp/lynis
2022-08-14 22:57:57 Include directory: /usr/share/lynis/include
2022-08-14 22:57:57 Plugin directory: /usr/share/lynis/plugins
2022-08-14 22:57:57 -----------------------------------------------------
2022-08-14 22:57:57 Log file: /var/log/lynis.log
2022-08-14 22:57:57 Report file: /var/log/lynis-report.dat
2022-08-14 22:57:57 Report version: 1.0
2022-08-14 22:57:57 -----------------------------------------------------
2022-08-14 22:57:57 Test category: all
2022-08-14 22:57:57 Test group: all
2022-08-14 22:57:57 BusyBox used: 0
2022-08-14 22:57:57 ====
2022-08-14 22:57:57 Test: Checking for program update...
2022-08-14 22:57:57 Result: dig, drill or host not installed, update check skipped
2022-08-14 22:57:57 Current installed version : 308
2022-08-14 22:57:57 Latest stable version : 0000000000
2022-08-14 22:57:57 Update check skipped due to constraints (e.g. missing dig binary)
2022-08-14 22:57:57 ====
2022-08-14 22:57:57 Checking permissions of /usr/share/lynis/include/binaries
2022-08-14 22:57:57 File permissions are OK
2022-08-14 22:57:57 ====
2022-08-14 22:57:57 Action: Performing tests from category: System tools
2022-08-14 22:57:57 Start scanning for available audit binaries and tools...
2022-08-14 22:57:57 ====
2022-08-14 22:57:57 Performing test ID CORE-1000 (Check all system binaries)
2022-08-14 22:57:57 Status: Starting binary scan...
2022-08-14 22:57:58 Test: Checking binaries in directory /bin
2022-08-14 22:57:58 Result: directory exists, but is actually a symlink
2022-08-14 22:57:58 Action: checking symlink for file /bin
2022-08-14 22:57:58 Setting temporary readlinkbinary variable
2022-08-14 22:57:58 Note: Using real readlink binary to determine symlink on /bin
2022-08-14 22:57:58 Result: readlink shows /usr/bin as output
2022-08-14 22:57:58 Result: symlink found, pointing to directory /usr/bin
2022-08-14 22:57:58 Result: found the path behind this symlink (/bin --> /usr/bin)
2022-08-14 22:57:58 Directory /usr/bin exists. Starting directory scanning...
(...)
2022-08-14 22:57:58 Found known binary: mdatp (Microsoft Defender ATP, malware scanner) - /usr/bin/mdatp
(...)
2022-08-14 22:57:58 Result: found 1031 binaries including 12 set-uid and 6 set-gid
(...)
2022-08-14 22:57:59 ====
2022-08-14 22:57:59 Performing test ID BOOT-5177 (Check for Linux boot and running services)
2022-08-14 22:57:59 Test: checking presence systemctl binary
2022-08-14 22:57:59 Result: systemctl binary found, trying that to discover information
2022-08-14 22:57:59 Searching for running services (systemctl services only)
(...)
2022-08-14 22:57:59 Found running service: mdatp
(...)
2022-08-14 22:57:59 Hint: Run systemctl --full --type=service to see all services
2022-08-14 22:57:59 Result: Found 15 running services
2022-08-14 22:57:59 Searching for enabled services (systemctl services only)
(...)
2022-08-14 22:58:00 Found enabled service at boot: mdatp
2022-08-14 22:58:00 Found enabled service at boot: mde_netfilter
(...)
2022-08-14 22:58:00 Hint: Run systemctl list-unit-files --type=service to see all services
2022-08-14 22:58:00 Result: Found 16 enabled services
2022-08-14 22:58:00 ====
(...)
2022-08-14 22:58:55 ====
2022-08-14 22:58:55 Action: Performing tests from category: Software: Malware
2022-08-14 22:58:55 ====
2022-08-14 22:58:55 Performing test ID MALW-3274 (Check for McAfee VirusScan Command Line)
2022-08-14 22:58:55 Test: checking presence McAfee VirusScan for Command Line
2022-08-14 22:58:55 Result: McAfee VirusScan for Command Line not found
2022-08-14 22:58:55 ====
2022-08-14 22:58:55 Performing test ID MALW-3275 (Check for chkrootkit)
2022-08-14 22:58:55 Test: checking presence chkrootkit
2022-08-14 22:58:55 Result: chkrootkit not found
2022-08-14 22:58:55 ====
2022-08-14 22:58:55 Performing test ID MALW-3276 (Check for Rootkit Hunter)
2022-08-14 22:58:55 Test: checking presence Rootkit Hunter
2022-08-14 22:58:55 Result: Rootkit Hunter not found
2022-08-14 22:58:55 ====
2022-08-14 22:58:55 Performing test ID MALW-3278 (Check for LMD)
2022-08-14 22:58:55 Test: checking presence LMD
2022-08-14 22:58:55 Result: LMD not found
2022-08-14 22:58:55 ====
2022-08-14 22:58:56 Performing test ID MALW-3280 (Check if anti-virus tool is installed)
2022-08-14 22:58:56 Test: checking process com.avast.daemon
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'com.avast.daemon' not found
2022-08-14 22:58:56 Test: checking process Avira daemon
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'avqmd' not found
2022-08-14 22:58:56 Test: checking process epagd
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'bdagentd' not found
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'epagd' not found
2022-08-14 22:58:56 Test: checking process falcon-sensor (CrowdStrike)
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'falcon-sensor' not found
2022-08-14 22:58:56 Test: checking process CylanceSvc
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'CylanceSvc' not found
2022-08-14 22:58:56 Test: checking process esets_daemon
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'esets_daemon' not found
2022-08-14 22:58:56 Test: checking process wdserver or klnagent (Kaspersky)
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'klnagent' not found
2022-08-14 22:58:56 Test: checking process cma or cmdagent (McAfee)
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'cmdagent' not found
2022-08-14 22:58:56 Test: checking process savscand
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'savscand' not found
2022-08-14 22:58:56 Test: checking process SophosScanD
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'SophosScanD' not found
2022-08-14 22:58:56 Test: checking process rtvscand
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'rtvscand' not found
2022-08-14 22:58:56 Test: checking process Symantec management client service
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'smcd' not found
2022-08-14 22:58:56 Test: checking process Symantec Endpoint Protection configuration service
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'symcfgd' not found
2022-08-14 22:58:56 Test: checking process synoavd
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'synoavd' not found
2022-08-14 22:58:56 Test: checking process ds_agent to test for Trend Micro Deep Anti Malware component
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'ds_am' not found
2022-08-14 22:58:56 Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'TmccMac' not found
2022-08-14 22:58:56 Result: no commercial anti-virus tools found
2022-08-14 22:58:56 Hardening: assigned partial number of hardening points (0 of 3). Currently having 244 points (out of 292)
2022-08-14 22:58:56 ====
2022-08-14 22:58:56 Performing test ID MALW-3282 (Check for clamscan)
2022-08-14 22:58:56 Test: checking presence clamscan
2022-08-14 22:58:56 Result: clamscan couldn't be found
2022-08-14 22:58:56 ====
2022-08-14 22:58:56 Performing test ID MALW-3284 (Check for clamd)
2022-08-14 22:58:56 Test: checking running ClamAV daemon (clamd)
2022-08-14 22:58:56 Performing pgrep scan without uid
2022-08-14 22:58:56 IsRunning: process 'clamd' not found
2022-08-14 22:58:56 Result: clamd not running
2022-08-14 22:58:56 ====
2022-08-14 22:58:56 Skipped test MALW-3286 (Check for freshclam)
2022-08-14 22:58:56 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-08-14 22:58:56 ====
2022-08-14 22:58:56 Skipped test MALW-3288 (Check for ClamXav)
2022-08-14 22:58:56 Reason to skip: Prerequisites not met (ie missing tool, other type of Linux distribution)
2022-08-14 22:58:56 ====
2022-08-14 22:58:56 Performing test ID MALW-3290 (Presence of for malware detection)
2022-08-14 22:58:56 Security check: file is normal
2022-08-14 22:58:56 Checking permissions of /usr/share/lynis/include/tests_file_permissions
2022-08-14 22:58:56 File permissions are OK
2022-08-14 22:58:56 ====
(...)
2022-08-14 22:59:00 ====
2022-08-14 22:59:00 Performing test ID HRDN-7230 (Check for malware scanner)
2022-08-14 22:59:00 Test: Check if a malware scanner is installed
2022-08-14 22:59:00 Result: no malware scanner found
2022-08-14 22:59:00 Suggestion: Harden the system by installing at least one malware scanner, to perform periodic file system scans [test:HRDN-7230] [details:-] [solution:Install a tool like rkhunter, chkrootkit, OSSEC]
2022-08-14 22:59:00 Hardening: assigned partial number of hardening points (1 of 3). Currently having 285 points (out of 344)
2022-08-14 22:59:00 Result: no malware scanner found
2022-08-14 22:59:00 ====
(...)
Additional context
root@REDACTED:/# which mdatp
/usr/bin/mdatp
root@REDACTED:/# service mdatp status
● mdatp.service - Microsoft Defender
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-08-03 00:40:19 CEST; 1 weeks 4 days ago
Main PID: 171799 (wdavdaemon)
Tasks: 180 (limit: 14258)
Memory: 574.2M
CPU: 1h 41min 12.294s
CGroup: /system.slice/mdatp.service
├─171799 /opt/microsoft/mdatp/sbin/wdavdaemon
├─171806 /opt/microsoft/mdatp/sbin/crashpad_handler --database=/var/opt/microsoft/mdatp/crash --metrics-dir=/var/opt/microsoft/mdatp/crash --annotation=glibc version=2.31 --annotation=os distribution name=debian --an>
├─171843 /opt/microsoft/mdatp/sbin/wdavdaemon edr 11 10 3 --log_level info
├─171893 /opt/microsoft/mdatp/sbin/telemetryd_v2 31"
└─376899 /opt/microsoft/mdatp/sbin/wdavdaemon unprivileged_v2 52 43 3 --log_level info
@Vilican I added pull request 1384 in order to fix this: https://github.com/CISOfy/lynis/pull/1384 If you could comment on it I would very much appreciate it.
