As somebody who”s been researching and writing about malware since 2003, I”ve come to recognize Danish information security firm Secunia as a reliable source of good intelligence about what”s happening on the threat landscape. When a malware alert, proof of concept exploit, or news story shows up with their name on it, I will invariably pay attention. That”s why I was very interested to read in a a recent issue of PCWorld (November 11, 2008) about the Secunia PSI vulnerability scanner.
This tool comes in the form of a free download from the Secunia Web site: it”s known as version 188.8.131.52 (Final version released 11/25/2008; 520.3 KB). It”s available in English, German, and Danish, and enjoyed a beta test population of nearly 800,000 (the final release occurred the day after I first posted this blog, in fact, and the official user base is now over 800K).
Secunia PSI takes a very interesting approach to performing a vulnerability assessment on Windows PCs (it works with Windows XP SP2 or later, Windows Server 2003, Windows Vista, and Windows 2000 SP4–and though the site doesn”t say, I”m guessing it also works with Windows Server 2008 as well). Users must also have the latest version of the Windows Update Agent (WUA) installed for this program to work, and run PSI with administrative privileges. Secunia looks at two aspects of the runtime environment in which it finds itself:
- The Windows operating system, including updates and patches applied or missing
- Applications installed on Windows, also including updates and patches
The scanning process involves
- Downloading new search rules from the Secunia Website (makes sure they”re always current)
- Searching files on all accessible local storage volumes (hard disks, USB drives, Flash drives, and so forth locally attached to the target machine)
- Collecting information from those files and the operating system
- Looking for Microsoft Update status (with particular emphasis on Security Updates)
- Comparing data found with Secunia”s File Signatures database (which makes the process surprisingly fast: I”ve got over 160 GB of files scattered across 4 drives on my Vista system, with over 150,000 individual entries, and the scan completes in 56 seconds on my QX9650 4GB RAM Vista Ultimate production desktop).
In performing its analysis: PSI rates programs and OS components into three categories
- Insecure: programs for which known security updates are available, and which are not current. Secunia recommends updating or uninstalling any programs that show up under this heading.
- End-of-life: programs found that the vendor no long supports, so no patches or alerts for same will be forthcoming. Secunia recommends updating or uninstalling any programs that show up under this heading as well.
- Patched: Up-to-date programs for which no further or newer updates or patches are currently available. The cool thing about this listing is that you can use it to access pointers to updates, access a solution Wizard, jump into online references, obtain technical details, and dig into detailed maintenance right from a single dashboard.
Patched Programs shows all patched/current programs, and indicates which have been protected against known threats
(7-Zip 4.x in this screenshot) and the level of such threat.
After I installed this program on my production machine, I discovered that all kinds of programs were still hanging around on my old system drive that were old enough to pose potential threats on my system. This provoked a wash of system clean-up activity, forced me to learn how to use Linux to remove protected files from a Vista system disk, and helped me recover about 40GB of space on a former system drive. It took me about four days to get to everything, but I started out with over a dozen insecure entries (no end-of-life stuff, thank goodness) and had to learn a few things to make some of them go away.
What”s really neat about PSI is that Secunia updates its scanning database at least once a week (sometimes two and even three times in a week). It runs each time you reboot your machine by default and reloads its rules base at that time, so you”re bound to get reminders to take care of patches and fixes when that happens. You can also sign up for email alerts that let you know each time the Secunia rules base is updated. Very handy, highly recommended. The only weakness that I can see is that Secunia pays attention to all files it finds and doesn”t distinguish archives or inactive system drives from current, active ones. If anything, this makes PSI err on the side of caution, which is always the best direction to err when it comes to security stuff.