Port scanners provide a first step toward detecting and discovering the services and network applications listening on your network. When you’re faced with an unknown computer, programs such as the free Foundstone SuperScan 4.0 and the open-source port scanner Nmap (http://insecure.org) show you not only whether the typically used HTTP port TCP 80 is open, but also the response, or banner, of the listening application. I’m a huge fan of Nmap and not just because of its scanning features: I like that Nmap runs from the command line and that its results come in a variety of formats, making the tool easy to incorporate into other scripts. Nmap is a great tool to integrate with all kinds of network-centric audits. I’ll look at how to leverage Nmap to quickly determine whether antivirus software is installed on the computers within a subnet.

Antivirus software is an essential foundation of any enterprise security program, whether installed at perimeter gateways, mail gateways, or mail servers. I’ll focus on antivirus software installed on your client computers—the workstations and laptops your employees use every day. These systems are a first line of defense, especially laptops that employees use at home or at a hotspot to connect to networks outside your own.

Most enterprise antivirus software products include an administrative console to help manage the networked application as well as the alerts that clients generate. But the console might offer only limited support for ensuring that every workstation has an antivirus client installed. Some products include support for logon scripts, Web-based installation points, Active Directory (AD), or installers based on Network Neighborhood. However, if you manage a cross-domain environment or need to check computers that aren’t installed in your primary domain, the automated tools to discover missing clients might not work.

That’s where Nmap comes in. Because most enterprise antivirus clients listen on a network port to receive instructions from the master (i.e., parent) server, you can use Nmap’s port-scanning capabilities—in addition to your knowledge about your antivirus client—to scan an entire subnet to find every device that’s not running antivirus software. Be aware, however, that this type of audit doesn’t determine whether a device’s antivirus software is properly configured (e.g., are signature definitions up-to-date?). But the audit will tell you which clients probably need additional investigation.

First, some caveats. You’ll be using a generic port scanner to scan a subnet for useful information—in this case, whether an antivirus client is listening. This approach works well with solutions such as Symantec Antivirus Corporate or Enterprise edition but might not work for every antivirus solution, especially those designed for home use that might not actually listen on a particular port. Also, if you run a host-based firewall, your clients might block some of the scanning probes that Nmap uses. Finally, you’ll need to differentiate network devices, such as switches and routers, and computers running Linux or Mac OS X from your subnet scans because they’ll show up as not having the antivirus installed.

Port scanners come in various shapes and sizes—from feature-packed GUI-based scanners to basic command-line scanners. Nmap provides robust input and output parameters, extending its functionality beyond simply identifying the ports open on an unknown server. And its flexible output makes it an ideal candidate for inclusion in your other scripts.