Re: Why eEye Retina (was MBSA scanner)

[Chris Brenton <cbrenton () chrisbrenton org>]

On Wed, 2004-07-14 at 15:23, Rainer Duffner wrote:
> Vulnerability Manager Service, which identifies the version, patch and 
> hot fix level of technologies running on an asset.

I think this is the portion of the process that you really have to look
at closely. How are patches being identified? Is it just checking the Q
numbers listed in the registry or is an MD5 hash comparison being
performed? If the former, you could do this yourself with some glue and
free tools like MSC or psinfo. If an MD5 check is being performed, how
are they verifying that this in fact is the binary running in memory
(i.e. patched + no reboot = still vulnerable).

> And, to be honest, I can't stand "appliances" with specs like that:
>
> "eTrust Vulnerability Manager is an appliance-based solution that runs 
> on Windows 2000 Server Platform and can be accessed by Internet Explorer 
> 5.0 and higher.  "
>
> A 'security-appliance' with the most bug-ridden, most-exploited OS on 
> the planet, to be used with the most bug-ridden, most-exploited 
> application running on top of it ?

No comments here. Bait is too easy. :p

> "In addition, eTrust Vulnerability Manager Service supports: " IBM AIX " 
> HP-UX " Red Hat Linux " Sun Solaris " Windows NT/2000/XP/Server 2003"
>
> Does that mean it only detects vulnerabilities on those OSs ?
> What about all the other stuff that floats around ? The printer that 
> runs some form of embedded Linux with a vulnerable Apache ?

I have not used the product but the description makes it sound like it
is agent based. If this is true, you can only check OS's and
applications that are supported by the agent.

Given the above, I personally think Nessus is still a better choice.

HTH,
Chris