For years, viruses have remained a persistent threat to enterprises of all sizes. Accidentally clicking on a fake link is all it takes to infect your network with malware of a virus. Knowing how to perform a network virus scan is essential for identifying the latest cyber threats and avoiding downtime.
The cost of downtime can be devastating, with the infamous MyDoom virus costing $38 billion over 15 years, becoming the most high profile virus to date.
With the emergence of network viruses that spread through network traffic, administrators have to be even more proactive at detecting threats.
What is a ‘network virus’ and how is it different from a normal virus?
A network virus is a type of malware that can replicate itself across multiple computers through network packets. Network viruses are different from traditional viruses because they don’t rely on files in order to spread but self-replicate across hosts and spread through executable code or a document.
For most viruses, administrators can deploy an antivirus solution that runs manual or automated scans to detect when a device is compromised. Once a virus is detected the user can quarantine the files and remediate the outbreak. Unfortunately, the process is a little more complex when dealing with a network virus.
As network viruses spread through network packets, traditional antivirus solutions can’t detect them. Such viruses are very difficult to get rid of and commonly re-infect devices. The side effects of a successful attack range from poor network performance to data theft, compromised device performance, and downtime.
From a network administrator’s perspective, Network viruses require a different type of security strategy than traditional viruses. To detect a network virus a network administrator needs to scan network traffic with a packet sniffer or intrusion detection tool to detect malicious packets and other suspicious activities.
How to scan for malicious traffic with a packet sniffer (Wireshark)
Wireshark is a packet sniffing tool available for Windows, macOS, and Linux that you can use to scan your network for malicious traffic. With Wireshark you can sniff traffic to identify infected files, helping you to find the root cause of a virus outbreak. Before running a capture you can select the type of interface you want to monitor.
To start capturing packets in your network, double click on the Wi-Fi option under the Capture heading. The software will start to collect packets in real-time displaying information such as Time, Source, Destination, Protocol, and other Info. You can stop capturing packets by pressing the red Stop icon in the top left corner of the screen.
To make sense of the information you capture, you’ll want to use packet filtering. Packet filters limit the output information based on the type of filter you apply. You can apply filters by using the filter box/search bar at the top of the screen.
Filtering packets are useful for identifying malicious packets as you can search for packets coming to and from an IP address or filter all traffic by a certain type. For example, to see packets coming to or from an IP address you can use the following filter (Change the IP address for the one of the IP address you want to filter IP packets coming from ):
ip.src == 192.788.53.1
Alternatively, if you want to filter packets that are going to an IP address you can use the following filter:
ip.dst == 192.788.53.1
You can also combine the two filters together if you want to view traffic traveling to and from the IP address with the following command:
ip.src == 192.788.53.1 or ip.dst == 192.788.53.1
If you want to filter by packet type then you can do so by entering the type of packets you want to filter into the filter bar (the example below uses DNS, but you could use another packet type such as DHCP, ICMP, or TCP):
Filtering IP addresses in this manner allows you to monitor the conversations taking place between particular machines, so if you suspect that a computer is infected, you can take a closer look at its traffic. It’s a good idea to regularly inspect hosts generating the greatest traffic volume, as this can indicate the host is infected with malware and is attempting to spread it to other machines.
Another key issue to look out for is if traffic is sent to and from unusual locations or if a host starts to send an unusually high amount of traffic. The only way to identify this abnormal activity is to take a baseline capture of your normal network activity so you can see anomalous behavior more clearly.
For an in depth tutorial on Wireshark see our How to use the Wireshark Network Protocol Analyzer post.
Why scan for malware and malicious traffic with a packet sniffer?
Running a standard virus scan with an antivirus will enable you to detect malicious entities like viruses and malware that have infected your device. The traffic that enters your network is a key entry point to your network, and monitoring that entry point will enable you to respond quickly when a threat breaches your defenses.
Packet sniffers are an important tool because many antiviruses struggle to detect network viruses that replicate across multiple hosts. Tools like Wireshark and Snort give you the ability to pinpoint strange connections across your network so that you can investigate and address any underlying threat.
By combining continuous packet sniffing with traditional antivirus virus scanning you can protect your network more comprehensively, and defend against a broader range of threats. In other words, combining the two significantly reduces your exposure to online threats.
Using an IDS to detect malware
An Intrusion Detection System (IDS) is a type of software that can detect attempts to break into your network. IDS tools can detect intrusion attempts, like malware, viruses, trojans, or worms, and notify you when an attack takes place. Examples of IDS solutions you can use to monitor for threats include Snort and Nmap.
IDS’s are useful because they can detect the early signs of a cyber attack. For example, before launching an attack on a network, many hackers will run a port scan to look for vulnerabilities. With a tool like Snort, you can detect port scanning, which gives you a heads up before any damage is done to your network.
IDS solutions use signature-based and anomaly-based detection methods to detect attacks. A signature-based IDS searches for malicious patterns in traffic based on known attacks and an anomaly-based IDS uses machine learning to detect abnormal behavior and flag it up to the user.
Out of the two methods, anomaly-based IDS solutions are more effective at scanning networks for unknown viruses and malware. Signature-based tools need to be regularly updated to stay effective and struggle against unknown zero-day attacks.
Packet sniffer or IDS for detecting malware?
Both packet sniffers and IDSs are useful for detecting malicious activity taking place on the network and are very similar. The key difference between the two is that an IDS is a packet sniffer with anomaly detection, which can identify malicious traffic patterns and send alerts to notify the user.
For example, with Snort, you can create traffic rules to detect malicious code. In contrast, packet sniffing tools like Wireshark don’t have an alerts function and you have to identify suspicious activity manually by collecting and filtering packets.
While IDS’s are superior at automating threat detection and response, packet sniffers remain useful for identifying and investigating malicious traffic patterns. In short, both Wireshark and Snort are viable solutions for detecting malicious traffic and protecting your network against attackers.
Best packet sniffing software
If you want to search for other packet sniffing tools to monitor your network, then there are plenty of tools to choose from. We’ve listed some of the top free and paid alternatives to Wireshark below:
SolarWinds Network Performance Monitor is a paid network monitoring tool that comes with a Network Packet Sniffer that you can use to monitor network traffic in real-time through the dashboard. Through the dashboard, you can monitor data and transaction volume by application, and identify bandwidth hogs quickly. It is available on Windows. You can download a 30-day free trial.
Paessler PRTG Network Monitor is a free network monitoring tool that you can use to monitor IP, UDP, and TCP traffic. With the packet sniffer sensor you can monitor IRC, AIM, Citrix, FTP, P2P, DHCP, DNS, ICMP, SNMP, IMAP, POP3, SMTP, NetBIOS, RDP, SSH, VNC, HTTP, HTTPS, and more. It is available for Windows and Mac. You can download the software for free.
ManageEngine NetFlow Analyzer is a paid packet collection tool you can use to monitor network bandwidth consumption. With ManageEngine NetFlow Analyzer you can monitor interface bandwidth and traffic patterns in real-time. Through the Advanced Security Analytics Module, you can view all security events alongside an anomaly count. It is available on Windows and Linux. You can download the free trial.
See our related post on the Best Packet Sniffer.
Best Intrusion Detection Systems
You can read more about IDS services and how they work in Intrusion Detection Systems Explained: Best IDS Software Tools Reviewed. If you haven’t got time to read that report, here is a quick rundown of the three best intrusion detection systems.
SolarWinds Security Event Manager (SEM) is a host-based intrusion detection system but you can easily give it network-based intrusion detection capabilities by feeding it the network security monitoring output of Snort. This is an on-premises package that runs on Windows Server. It will process log messages generated by Unix, Linux, and macOS computers as well as Windows. Try the tool on a 30-day free trial.
2. CrowdStrike Falcon
CrowdStrike Falcon is a cloud-based platform of security tools that work off reports sent up to the cloud server from the one site-based product in the family, Falcon Prevent. The Falcon Prevent service is an endpoint protection system that operates an antimalware and intrusion detection service by looking for anomalous behavior. All malicious activity comes in from the network and so the reports from this tool also give you an insight into network viruses. CrowdStrike offers Falcon Prevent on a 15-day free trial.
3. ManageEngine EventLog Analyzer
ManageEngine EventLog Analyzer is an on-premises package that gathers log data from around the network and analyzes it for signs of intrusion and virus activity. The systems that contribute to the IDS’s data sources include switches, routers, and firewalls, and that gives it input on malicious network activity. The tool installs on Windows Server or Linux and you can get it on a 30-day free trial that has a limit of 2,000 log message sources.
Network virus scanning best practices
Scanning for traditional and network viruses is vital for protecting your infrastructure and preventing malware outbreaks. Being aware of the risks and proactively scanning will give you the best chance of defending yourself against the next generation of online threats. However, there are some best practices you’ll want to bear in mind:
1. Backup your files!
Backing up your files regularly is disaster recovery 101, both for protection against viruses and other issues like system failures or natural disasters. Regularly backing up your files periodically will ensure that your data is protected even if you encounter a persistent virus.
2. Turn off your internet connection
If you find out a device is compromised, one of the first things you should do is turn off your internet. Cutting off the device will stop the compromised system from communicating with external entities so that you can contain the problem and work on restoring the system more effectively.
3. Schedule Regular Scans
Scheduling regular scans is essential for making sure that you continually discover new threats. One-off scans can be good for diagnosing current problems but you’ll miss any security events that take place after you stop scanning. Regularly scanning up will ensure your devices are secure.
4. Make Sure to Follow Up!
Once you’ve run a scan, you’ll need to make sure that you’ve done everything needed to eradicate the threat. Many scanning tools will generate reports that give you information on how to deal with infected files, so following these instructions is a good way to make sure that you implement the necessary changes to protect your system.
Perform a network virus scan to protect important endpoints
While antivirus solutions can’t protect you against every online threat they play an important part in securing your endpoints against some of the most common threats online. Network scanning is a simple way to minimize your exposure to online threats.
Remember to schedule regular scans to make sure that you stay up to date on security risks. Should you find that a system is compromised, cut off the internet, and quarantine the offending software so that you have time to remediate the issue. You also want to make sure that the virus isn’t hiding in your backup files before rebooting the system.
Network Virus Scan FAQs
What is a network virus?
By definition, a "network virus" is a type of fileless malware that moves from computer to computer without saving files on any device but going straight into the operating system. Without a file to scan for, these systems are very difficult to detect because they can only be spotted as network packets and running processes. However, often, when people refer to a “network virus scan” they actually mean a scan that reaches across the network to scan each connected device.
How do you scan a network for a virus?
Scanning network traffic for viruses rather than scanning each endpoint connected to the network involves examining packets that travel around the network. The best security software category for this job is a network-based intrusion detection system (NIDS). This scans packets for known contents that indicate anomalous behavior. NIDS services can spot unauthorized user activity as well as network-bound viruses.