Penetration Testing mailing list archives
RE: MBSA scanner
From: Igor Filippov <igor () osc edu>
Date: Thu, 22 Apr 2004 09:57:53 -0400 (EDT)
I'd like to add my two cents to the discussion - so far it's been quite interesting to find out about other folks experience with different scanners/assesment tools. Please note that I don't claim to be a security professional, nor do I mean to offend any of the software authors - you guys are doing a wonderful job, all of you, just sometimes maybe not exactly what an average system administrator like myself is looking for.. On the same note if I didn't find some of the functionality I was looking for that probably speaks more about my lack of imagination rather than any particular attempt on the author's part to hide it. Ok, disclaimer aside here are my personal experiences: Sara (many things also apply to Nessus): Good: - It's free - It runs on Linux - It doesn't require admin privileges on the remote hosts, nor any access rights at all - Scans many different platforms, not just windows Not So Good: - It's not obvious how up to date it's database of exploits is, nor how to update it. For example, I haven't seen any indication that it checks for enabled DCOM on windows hosts (it was last fall). - It's quite slow - can take a good portion of a day to do a C-class domain - It's rather garrulous - whatever daylight time's left of the workday after the scan you'll probably spend reading through the output. - It does seem to give a lot of false alarms MBSA (most apply also to HFNetChk): Good: - It's free - It's up to date (or at least as up to date as the vendor in question is :) ); and it's also visible when it's trying to update its database. - It's reasonably fast and the output is mostly "get-to-the-point" style which I like. Not so good: - It requires admin privileges on remote hosts and there's no way to supply them - you have to be the same guy on local and remote hosts - It seems to check mostly whether or not patches have been installed, which is not quite the same as whether on not the host is vulnerable - There doesn't seem to be an easy way to remotely install necessary patches - There seem to be quite a few false (or not-so-urgent) alarms - i.e. getting a red flag on user's IE zone configuration when the user in question is long disabled. Languard: Good: - It's fairly cheap (cheaper than any of the non-free scanners) - Vulnerability database is up-to-date and it's possible to force an update download. - It's reasonably fast and the output is not very lengthy - While it requires admin access to remote hosts it's possible to supply it with credentials, so that you don't have to log in locally on the same account - Provides a way to install patches on remote hosts (disabled in evaluation version, so I couldn't check this one) Not so good: - Seems to check more for the presence of patches, rather than vulnerabilities. - Navigating through output can sometimes be puzzling (in evaluation version at least) and it might take some learning to get all the "right-click here, then left-click there" combinations and what the error messages mean - e.g. in my case, when evaluation version didn't want to deploy patches it complained "no hosts selected" even when all of them were selected, took me a while to realise that it's their way of saying "only full version can do that". Retina: Good: - It doesn't require remote admin access - It's fast - It checks for vulnerabilities not patches installed - eEye seems to be very much on top of things at least as far as windows systems are concerned and vulnerability database is probably as up-to-date as it gets. Not so good: - Evaluation version scans only one ip at a time, and as such is useless. I have a lot of praise for their RPC DCOM and Messenger free scanners - It's not free, and while it's not as expensive as some, I wish they had more different licensing options as it might be hard for a non-profit organization to come up with a few $K for a security scanner that the bosses don't realise they need at all anyway. - Doesn't seem to be a way to deploy patches (in evaluation/free versions). TenableNewt: The install failed. It might have something to do with the fact that I tried to install it on a terminal server. Maybe I'll try again later. Maybe. Netskowt: To get an evaluation version first you have to register on their website, then they sent you an email with the download link, then you install the product and find out that you still have to apply for evaluation license. (It doesn't work at all in the form it's downloaded). I got a reply for my request for evaluation license this morning - I need to supply the ip address of the host where the scanner is going to be installed. A reasonable request, but why they didn't tell you that to begin with ? All-in-all if I knew it's going to be such a bureaucratic drag, I probably wouldn't have bothered. I would love to hear what other people might add/change/challenge to that list. Best regards, Igor On Wed, 21 Apr 2004, Gibson, Eric wrote:
We just finished a long comparative evaluation of Eeye, Foundstone, Tenable, Nessus and ISS. After much consideration we concluded that Foundstone fit our needs best, while still using Nessus for bulk scans. We used to use ISS but switched because the product has not kept up with others. Nessus is still a great scanner, and you cannot beat the price. I am surprised that FoundStone has not come up in the recommendations so far. Eric Gibson -----Original Message----- From: Peter Wood [mailto:peterw () firstbase co uk] Sent: Tuesday, April 20, 2004 7:00 AM To: pen-test () securityfocus com Subject: [BULK] - RE: MBSA scanner We have also moved our allegience to eEye Retina from ISS. It works very well and is the best commercial scanner we've used. We also use Core Impact for real exploits, which is a great tool IMHO. Pete At 15:58 19/04/2004 -0500, Steve Goldsby \(ICS\) wrote: >We've moved all our business from ISS Scanner to Retina. > >Nessus is still the favorite for cost effictive, high coverage scanning, >but for a commercial product that seems to gain favor with enterprise >clients, eEye is the way to go. > > >Steve Goldsby >www.networkarmor.com > > >-----Original Message----- >From: Nick Duda [mailto:nduda () VistaPrint com] >Sent: Monday, April 19, 2004 1:30 PM >To: e247net; pen-test () securityfocus com >Subject: RE: MBSA scanner > >eEye Retina is great. Quick on the updates also. > >- Nick > >-----Original Message----- >From: e247net [mailto:e247net () hotmail com] >Sent: Saturday, April 17, 2004 4:34 AM >To: pen-test () securityfocus com >Subject: MBSA scanner > >Hi all > >Microsoft baseline scanner cannot work since all the default shares are >disable. >Isn't this be the case for a secure LAN ? Anyway, plse suggest any >alternatives open source tools for conducting vulnerability test in a >LAN typical windows machines. >Thanks > >I have on hand now using nessus, but would like to have another tool. > >Best Regards, > ------------------------------------------------------------------------ -------------------------------------------------------- Peter Wood FBCS CITP MIMIS MIEEE Chief of Operations First Base Technologies +44 (0)1273 454525 www.fbtechies.co.uk www.white-hats.co.uk ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: MBSA scanner, (continued)
- RE: MBSA scanner Chuck Herrin (Apr 19)
- Re: MBSA scanner mike (Apr 19)
- RE: MBSA scanner Nick Duda (Apr 19)
- RE: MBSA scanner Steve Goldsby (ICS) (Apr 19)
- RE: MBSA scanner Peter Wood (Apr 20)
- RE: MBSA scanner Swift Lad (Apr 21)
- RE: MBSA scanner Robert Mehler (Apr 21)
- RE: MBSA scanner Ben Nagy (Apr 22)
- RE: MBSA scanner Robert Mehler (Apr 21)
- RE: MBSA scanner Gibson, Eric (Apr 21)
- Re: MBSA scanner Shawn Edwards (Apr 22)
- RE: MBSA scanner Igor Filippov (Apr 22)
- Re: MBSA scanner Matt Wagenknecht (Apr 22)
- RE: MBSA scanner Jeremiah Cornelius (Apr 22)
- RE: MBSA scanner ELLIS, STEVEN (Apr 22)
- RE: MBSA scanner Altheide, Cory B. (IARC) (Apr 22)
- Re: MBSA scanner nom.de.guerre (Apr 22)
- RE: MBSA scanner Gibson, Eric (Apr 22)