Corporate Software Inspector

- Integrated with Microsoft WSUS & SCCM for 3rd Party Patch Management -

CSI 4.1 - Setup and Usage guide

Ver 1.1

Table of Contents
1. About Secunia..........................................................................................................................4 2. About Secunia Research...........................................................................................................5 3. The Secunia CSI 4.1 - Integrated with Microsoft WSUS & SCCM for 3rd Party Patch Management ......6 3.1 The Scan Process how does it work..................................................................................6 3.2 Patch Management how does it work...............................................................................6 4. Installation and System Requirements......................................................................................7 4.1 CSI Operational Requirements............................................................................................7 4.1.1 CSI GUI/Console Prerequisites.....................................................................................7 4.1.2 CSI with Patching Capability........................................................................................7 4.1.3 Agent-based Scan - Requirements..............................................................................7 4.1.4 Scan Groups/Agent-less Scan - Requirements.............................................................7 4.1.5 Setting Up Clients to Access WSUS.............................................................................8 4.2 Installing the Secunia CSI GUI............................................................................................8 4.3 How Can I Scan Target Hosts?............................................................................................8 4.4 Agent installation Single Host mode................................................................................9 4.5 Agent Installation Network Appliance Mode.....................................................................9 4.6 Troubleshooting................................................................................................................10 5. Scan.......................................................................................................................................11 5.1 Scan Now.........................................................................................................................11 5.1.1 Quick Scan...............................................................................................................11 5.1.2 Scan Groups.............................................................................................................11 5.1.3 Scan Progress...........................................................................................................12 5.2 Scheduled Scanning.........................................................................................................12 5.2.1 Single Host Agents....................................................................................................12 5.2.2 Network Appliance Agents........................................................................................13 5.2.3 Network Appliance Groups........................................................................................13 5.2.4 Download Agent.......................................................................................................13 5.3 PSI Integration.................................................................................................................13 5.3.1 Connected PSI installations.......................................................................................14 5.3.2 Download Custom PSI...............................................................................................14 5.4 Filter Scan Results............................................................................................................14 5.4.1 Scan Paths................................................................................................................14 5.4.2 Ignore Rules..............................................................................................................14 6. Completed Scans ..............................................................................................................14 7. Results...................................................................................................................................15 7.1 Sites................................................................................................................................15 7.2 Hosts...............................................................................................................................16 7.3 Programs and Operating Systems.....................................................................................16 7.3.1 All.............................................................................................................................16 7.3.2 Insecure...................................................................................................................16 7.3.4 Patched....................................................................................................................16 7.4 Categories.......................................................................................................................16 8. Reports...................................................................................................................................17 8.1 Dashboard.......................................................................................................................17 8.2 Change Summary............................................................................................................18 8.3 Generate Reports.............................................................................................................18 8.4 View Scheduled Reports...................................................................................................19 9. Patch......................................................................................................................................19 9.1 Create..............................................................................................................................19 9.2 Available..........................................................................................................................21 9.3 Deployment.....................................................................................................................22 9.4 Configuration...................................................................................................................23 9.4.1. Create/Install Certificate..........................................................................................23 9.4.2. Certificate Distribution.............................................................................................24

2/44

9.4.3. WSUS Group Policy..................................................................................................24 9.5 Agent Deployment...........................................................................................................25 10. Configuration........................................................................................................................26 10.1 Settings.........................................................................................................................26 10.2 Suggest Software...........................................................................................................28 10.3 Reset Password..............................................................................................................28 11. Support................................................................................................................................28 11.1 Manual & FAQ................................................................................................................28 11.2 Microsoft WSUS..............................................................................................................28 11.3 Changelog......................................................................................................................28 11.4 Contact Information.......................................................................................................28 12. Secunia Advisories...............................................................................................................28 12.1 About Secunia advisories...............................................................................................28 12.2 From (attack vector).......................................................................................................28 12.3 Criticality.......................................................................................................................29 12.4 Impact...........................................................................................................................29 12.5 Other Frequently Used Terms .........................................................................................30 13. Technical Support.................................................................................................................31 Appendix A: FAQ.........................................................................................................................32 Appendix B: Proxy Settings.........................................................................................................33 Appendix C: Deploying Agents on a Network via GPO.................................................................34 Appendix D: Setup Examples......................................................................................................38 Appendix E: Install the WSUS Administration Console.................................................................39 Appendix F: User Management...................................................................................................40 Appendix G: Accessing the CSI Local Database...........................................................................41 Appendix H: CSI Agent Single Host Mode & Appliance Mode.......................................................42

3/44

1. About Secunia Secunia is an independent, world-leading provider of Vulnerability Intelligence. Our aim is to give you exactly the intelligence you need, which enables you to address vulnerabilities quickly and effectively before intruders cause serious harm to your organisation. We have no ties to specific vendors, nor any strings or bias that go with such ties. We provide objective and verified analyses in the manner and format of your choice. Whether you control security from a central security department or have distributed security responsibilities, our services assure that you receive the security alerts relevant to your IT infrastructure instead of having to spend vast amounts of time browsing through information with questionable relevance. The vulnerability issue cannot be denied. Every corporation faces the certain knowledge that vulnerabilities in the IT infrastructure can be used to compromise security. This represents an extra challenge for the person responsible for IT: How can you protect your IT infrastructure more effectively? How can you make sure that you have all the Vulnerability Intelligence you need? How can you do this without spending too much time and effort investigating and evaluating loads of unstructured information compiled from various sources? And how do you achieve the best possible fit with your other security tasks, like policy compliance, ACL, user management, etc? Save both time and money with our solutions, you can rely on being alerted pre-emptively with a full verification and analysis of any vulnerability that could compromise your network security. Furthermore, our solutions give you the tools to both manage your network security and keep it updated at all times. Imagine a solution that ensures you are alerted when someone discovers a major vulnerability in one of your key applications. Imagine that this solution alerts you, even if the vendor does not. Imagine that this solution presents the alert in a comprehensive manner, verifies the exact issue, and tells you how to deal with it in the best possible way and provides you with the tools necessary to eliminate the threat effectively. No more unnecessary worries. No more wasted time trying to keep track of Vulnerability Intelligence. No more guilty conscience about not being able to cover so much ground.

4/44

2. About Secunia Research Our experts monitor all available intelligence on vulnerability issues, subscribe to all securityrelated sites, newsgroups and newsletters, and are in ongoing dialogue with vendors regarding vulnerability issues. In addition, our vast network with the industry ensures that we have access to all vulnerability alerts available. Once a vulnerability has been identified, an advisory is issued based on the expertise of the Secunia Research team. The advisory includes thorough analysis, allowing you to evaluate and eliminate the vulnerability immediately. With the Secunia Enterprise Vulnerability Manager solution, you can be at the forefront in eliminating vulnerabilities. With the Corporate Software Inspector you will be pre-emptive in eliminating vulnerabilities and in protecting your network against outside threats. The cutting-edge technology combined with the expertise of the Secunia Research team will enable you to track and eliminate any vulnerability that poses a threat to your network. Professionals rely on Secunia. As a customer, you will have the most comprehensive Vulnerability Intelligence in the palm of your hand and filtered to your specific needs, thus ensuring that you have access to accurate and relevant information. The Vulnerability Intelligence is available in your own customised area, which is updated and accessible 24/7. The Secunia blog is used to communicate our opinions about vulnerabilities, security, ethics, and our responses to articles, research papers, and other blog entries regarding Secunia and vulnerabilities. Please find our blog on this link: http://secunia.com/blog/ The Secunia solutions include: Intuitive, fast, and easy to use SSL-encrypted web-based interface accessible 24/7. Filtering and management of Secunia Advisories. Overview, documentation, and detailed reports. Vulnerability Scanning of your IP addresses and software. Customised alerting via e-mail and SMS.

5/44

3. The Secunia CSI 4.1 -

Integrated with Microsoft WSUS & SCCM for 3rd Party Patch Management

The Secunia CSI is an authenticated internal vulnerability scanner, capable of assessing the security state of practically all legitimate programs running on Microsoft Windows platform. The Secunia CSI also integrates with Microsoft WSUS & SCCM for easy deployment of 3 rd party updates, making patching a simple and straight-forward process for all IT departments. The Secunia CSI utilises the Secunia Advisory & Vulnerability Database to assess the security state of detected programs, thus making the vulnerability intelligence foundation for the Secunia CSI superior in every aspect, especially compared to competitive solutions that rely on adhoc/random vulnerability information gathering from various sources. Furthermore, the Secunia CSI's unique and unparalleled scan engine technology is capable of detecting programs based on actual data on the file system, which is extremely reliable compared to making assumptions based on inaccurate/out-of-date information from, e.g., the Windows Registry, which is what many of the competitive solutions do. Since the Secunia CSI is running as a trusted application with the purpose of assisting the system administrator, it can take a light-weight, but much more in-depth approach, suited for internal vulnerability scanning. Furthermore, the Secunia CSI is already running with administrative privileges on the network and thus is capable of logging into the systems being scanned. It can read data from files on the hard-drive of the scanned system and assess whether the installed programs are vulnerable or not, cross-referencing with Secunia Vulnerability Intelligence. 3.1 The Scan Process how does it work The first process of scanning a system is to collect specific META data from primarily .EXE, .DLL, and .OCX files on the system being scanned. META data is generic non-sensitive text strings embedded in the binary files from the vendor of the program. This data is collected and then sent to Secunia's Secure Data Processing Cloud (DPRC) where it is processed and parsed. After being processed, the data is matched against the Secunia File Signatures, which are the rules that match the raw META data to an actual program installation. Part of this matching process also results in an exact version being extracted from the META data. This means that after the initial parsing the Secunia CSI knows exactly which programs are on the system and their exact version a precise inventory of software on the system. The inventory of software is then compared against the unique Secunia Advisory & Vulnerability Database, which contains the most accurate and current Vulnerability Intelligence available. The result is a precise inventory of programs, their versions, and the exact security state of each , along with a direct reference to the corresponding Secunia Advisory detailing the exact vulnerabilities and their Secunia assessed criticality and impact. Since the scan process works by looking at the actual files on the system being scanned, the result is extremely reliable as a program cannot be installed on a system without the actual files required being present. This in turn means that the Secunia CSI rarely identifies false-positives and thus the customer can use the result from the Secunia CSI immediately without doing additional data mining! 3.2 Patch Management how does it work Patching of vulnerable software, in particular 3rd party software which is not supported by Microsoft WSUS, has been a cumbersome and resource demanding process causing many enterprises to either neglect patching or only patch very few non-Microsoft applications. Through the seamless Microsoft WSUS & SCCM integration with the Secunia CSI the patching process has been simplified and can literally be conducted with a few simple clicks. Patch Management has never been easier and more straightforward than with the Microsoft WSUS & SCCM and the Secunia CSI integration.

6/44

4. Installation and System Requirements 4.1 CSI Operational Requirements The following section describes the operational requirements needed by the Secunia CSI 4.1 taking into consideration the different components/features. 4.1.1 CSI GUI/Console Prerequisites In order to install and run the Secunia CSI 4.1 Console (Graphical User Interface), the following requirements should be met:

The CSI Console must be launched by a user with Domain Admin1 privileges https://csi.secunia.com must be added to the Trusted sites in the Internet Options of IE Internet Connection - Port 443/TCP open outbound Minimum 1024 * 768 screen resolution

4.1.2 CSI with Patching Capability To successfully create updates the following should also be present when installing the Secunia CSI:

WSUS installer (Administration console only, please refer to Appendix E) Visual C runtime Microsoft .NET runtime V2.0 SP2 When running the Secunia CSI 4.1 for the first time in Windows Vista, 7 or 2008, rightclick the CSI icon and select 'Run as administrator' Remote Registry must be enabled to successful install the certificates (In Vista and Win7 this service is by default disabled)

4.1.3 Agent-based Scan - Requirements The Secunia CSI provides enough flexibility that it can be easily adapted to your environment. If you choose to scan using the installable Agent2 (Agent-based scans), please consider the following requirements that should be present in the target hosts:

Administrative privileges (to install the CSI Agent csia.exe) Microsoft Windows 2000, XP, 2003, 2008, Vista and 7 Internet Connection - Port 443/TCP open outbound Windows Update Agent 2.0 or later

4.1.4 Scan Groups/Agent-less Scan - Requirements If you prefer to scan without installing the CSI agent (Agent-less scans), please consider the following requirements that should be present in the target hosts:

Ports 139/TCP and 445/TCP open inbound (on hosts) File sharing enabled on hosts Easy/simple file sharing disabled Windows Update Agent 2.0 or later Required Windows services started on hosts (should be by default): Workstation service Server service Remote Registry service COM+ services (COM+ System Application: Set to Automatic)

1 The user running the Secunia CSI must have the necessary privileges so it can perform tasks such as: configure/connect to Microsoft WSUS, perform remote scans to hosts in the network, install the necessary certificates so client machines can accept the packages created by the Secunia CSI. 2 Section 4.4 Agent installation - Single Host mode

7/44

4.1.5 Setting Up Clients to Access WSUS The Secunia CSI 4.1 uses the WSUS update mechanism so that updates/patches become available to clients in your network. In this way, it is important to configure your clients to access the WSUS server. When connecting the Secunia CSI to a WSUS server for the first time, you will get prompted by the CSI Group Policy wizard1, through this wizard you can easily create a Group Policy that will enable your clients to get updates from the WSUS server. If you choose not to create a new Group Policy using the 'CSI WSUS Group Policy' wizard, edit your existing WSUS Group Policy in the following manner: please

1) In the Group Policy Management Console (GPMC), browse to the Group Policy Object (GPO) on which you want to configure WSUS, and then click Edit. 2) In the GPMC, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. Enable: Configure Automatic Updates (choose your settings) Enable: Specify intranet Microsoft update service location. (Add the hostname/IP of your WSUS server). Enable: Allow signed updates from an intranet Microsoft update service location. (Important enables WSUS to distribute patches through the Secunia CSI) Please refer to section 9.4 Configuration to read about the 'WSUS Publishers Self-Signed' certificate installation. For installing the WSUS server we recommend reading the Step by Step Installation Guide provided by Microsoft: http://technet.microsoft.com/en-us/wsus/default.aspx 4.2 Installing the Secunia CSI GUI Please follow the below steps in order to install the latest version of the Secunia CSI 4.1: Download the Secunia CSI installer from http://secunia.com/CSISetup.exe Double click the installer icon and follow the wizard instructions. Launch the Secunia CSI as Domain Administrator, i.e. right-click and 'Run as administrator' (if running on Windows Vista, 7 or 2008) Login with your CSI Account credentials (User name/Password) You will be prompted to reset your password. We strongly recommend the user proceeds with the password reset since the first Secunia password will expire after the first login. Supported Microsoft Operating Systems: Windows 2000 SP4 Windows XP SP3 Windows Vista (x86/x64) Windows 7 (x86/x64) Windows Server 2003 Windows Server 2008 (x86/x64) 4.3 How Can I Scan Target Hosts? The Secunia CSI allows scanning of target hosts by using different approaches, namely:

Scan the target hosts by launching a scan from the system where the Secunia CSI Console is installed. By using this approach, no software is installed in the target hosts. The scanning is made by using standard operating system services. Please check sections : 4.1.4 Scan Groups/Agent-less Scan - Requirements and 5.1.2 Scan Groups.

Section 9.4.3. WSUS Group Policy

8/44

Alternatively, you can perform Agent-based scans. This type of scan is conducted by the Secunia CSI agent that can be installed in different modes: Single Host Mode, Network Appliance Mode, or Command Line Mode. Please refer to section 5.2.4 Download Agent for more details. The following sections describe in greater detail the agent installation in Single Host Mode and in Network Appliance Mode.

4.4 Agent installation Single Host mode The Secunia CSI provides different scan approaches, enabling you to select the one that best suits your environment, the Agent-based deployment is more robust and flexible for segmented networks or networks with mobile clients (e.g., laptops). Once installed, the agent will silently run in the background, even behind a firewall. Example: Install the CSIA.exe (Agent) in Single Host mode, download the agent from the CSI console in 'Scan-> Scheduled Scan-> Download Agent'. Please refer to section 5.2.4 Download Agent for further details. Once the agent is installed, every time the laptop goes online (Internet connection) it will verify if a new scan should be conducted. After scanning, the result will show up in 'Scan-> Completed Scans' in the Secunia CSI Console, allowing full control to scan and view results of hosts that are not always connected to your network. Result: Hosts scanned with the Agent in Single Host mode will show in 'Results-> Hosts'. When and how the hosts are scanned can be controlled from the Secunia CSI console under 'Single Host Agents'. Right-click a host name and select Edit Configuration to change the agent settings. Install the Agent from the command prompt with local Admin account using: >csia.exe -i -L By using the -L parameter, the agent will be installed as a service running under the LocalService user account. If you are a member of a domain and you don't use the -L switch, the service will be installed under the user account performing this action, thus granting the 'logon as a service' privilege. However this privilege is usually removed in the next GPO background refresh, since domain policies will not allow it. As a consequence, the Agent will stop working after the privilege has been removed. Example of an installation:

4.5 Agent Installation Network Appliance Mode Network Appliance Agents are the recommended solution for scanning one or more networks at scheduled intervals without having to install the Agent in every single target host. With the CSIA.exe installed in Appliance mode, you will have the ability to schedule remote scans. The hosts to be scanned can be identified by an IP-range, IP-network or Host-name. The CSI console allows you to easily manage the scans being done by the Appliance agent.

9/44

Example: If you want to scan three different networks (i.e. Germany, United States, and United Kingdom) without having to install the agent in single host mode, then you can install three instances of CSIA.exe in Network Appliance mode, one on each network. Afterwards you will be able to scan all the hosts on the three locations at scheduled intervals. This is done by creating the appropriate scan groups in 'Scan-> Scheduled Scanning-> Network Appliance Groups' and assigning each group to its respective and previously installed Network Appliance Agent. Result: After installing a CSIA.exe in Network Appliance mode, the Appliance agent will appear in 'Scan-> Scheduled Scanning-> Network Appliance Agents'. To specify the target host to be scanned by the Appliance mode agent, please configure the scan group in 'Scan-> Scheduled Scanning-> Network Appliance Groups' Installing the Network Appliance Agent from the command prompt: >csia.exe -A -i It is very important that the CSIA.exe is installed with the correct credentials. The user installing the Appliance Agent must have admin rights to all the target hosts that will be scanned by the Appliance Agent. Example of an installation:

4.6 Troubleshooting If the Secunia CSI 4.1 fails to launch properly, please consider the following support resources: Appendix A: FAQ Online FAQ available in http://secunia.com/products/corporate/csi/faq40 Also, examples of different Agent setups are provided in Appendix D: Setup Examples.

10/44

5. Scan 5.1 Scan Now The following options are listed under 'Scan Now' : Quick Scan Scan Groups Scan Progress Through these you can perform and monitor the progress of scans conducted on your PC and/or remote hosts on your network. These scans are performed in an Agent-less manner and is important to mention that the credentials used by the Secunia CSI to authenticate on the target hosts will be the same as those of the user that launched the Secunia CSI Console. Please consider the system requirements for the Scan Groups / Agent-less scans, described in section 4.1.4 Scan Groups/Agentless Scan - Requirements. 5.1.1 Quick Scan

Simply enter the Computer name and/or IP-address range for the hosts you wish to scan in the 'Enter hosts to scan' area and press the 'Scan Hosts' button. The scan progress will be available 'Scan Progress'. 5.1.2 Scan Groups Through this option you can create 'Scan Groups' by choosing which hosts you would like to scan for vulnerabilities. After pressing the 'New Scan Group' button, a new window will appear. In this new window you can create and configure a group of hosts to be scanned. After navigating through the different tabs: 'Name & Scan Type', 'IP Ranges', 'IP Networks and Hosts & IPs', press the 'Save' button to save and create the scan group. To start a scan on a previously created group, right-click the group name and select 'Scan Now'.

11/44

Please consider the system requirements for the Scan Groups / Agent-less scans mentioned in section 4.1.4 Scan Groups/Agent-less Scan - Requirements. 5.1.3 Scan Progress Through this view you can track the scans being conducted. If you wish to configure the number of simultaneous scans threads, please see section 10. Configuration of this document. The default value is set to 5.

5.2 Scheduled Scanning 5.2.1 Single Host Agents In this screen you can manage configurations and schedule scans for the hosts where the Agent is installed as a service in Single Host Mode. Double click a row to manage the configuration of the selected agent and change its settings (Inspection type, Check-in frequency, Days between scans). If you right-click on a host name and select 'Edit site configuration' you will be able to manage the configuration for all the hosts in that Site.

12/44

The hosts scanned with the CSIA.exe will be grouped by Site. By default the domain name will be used as a Site name. To change a Site name, please refer to section 7.1 Sites. You can also specify a Site name when installing the agent, by using the -g parameter. 5.2.2 Network Appliance Agents This page lists the hosts which have Network Appliance Agents installed. Double-click a host to configure the Network Appliance Agent for that host. 5.2.3 Network Appliance Groups In this screen you can create a target group that will be scanned by a Network Appliance Agent. Press the 'New Group' button to start creating a new target group that will be remotely scanned by one of the Network Appliance Agents previously installed. 5.2.4 Download Agent The Secunia CSI Agent (CSIA.exe) is a small, simple, customisable and extremely powerful Secunia CSI scan engine that offers a fully featured command line interface (CLI) to the Secunia CSI scanning functionality. This allows you to run CSI scans directly from the command line, to embed the Agent in a command script or to distribute it through WSUS/SCCM. Please refer to section 9.5 Agent Deployment to deploy the csia.exe through WSUS/SCCM, or check Appendix C: Deploying Agents on a Network via GPO, to get a better understanding of how to deploy the CSIA.exe via Group Policy. The 'csia.exe' file is a customised executable, unique and private for your Secunia CSI account. This means that the CSIA.exe automatically links all scan results to your Secunia CSI account. 5.3 PSI Integration The Secunia Personal Software Inspector (PSI) now offers integration with the Secunia CSI 4.1, making it possible to report its local PC scan results to the centralised Secunia CSI dashboard. This significant enhancement enables an administrator to track all the unmanaged PCs connecting to the network and take any remediation actions necessary. Please check the document available at Secunia's web site: Secunia CSI PSI Integration

13/44

5.3.1 Connected PSI installations In this screen you can see an overview of the PSI installations connected to your account.

5.3.2 Download Custom PSI Secunia PSI installations can be linked to a Secunia CSI account. This link is done by sharing a common Link ID between the PSI installation and the CSI account. When a PSI installation is linked to a Secunia CSI account, PSI scan results will be visible in the Secunia CSI Console. The Secunia CSI user must create their own Link ID. Once this is done they can download a custom PSI installer with its unique Link ID embedded, or they can communicate the Link ID to standard PSI installations so PSI users can enter the Link ID under the 'Integrate with Secunia CSI' page. After performing a PSI scan, the host name and scan result will be visible in the CSI console. 5.4 Filter Scan Results This feature will allow you to filter your scan results, either by restricting/allowing the scanning to specific paths or by creating ignore rules that are applied to a scan after its completion. 5.4.1 Scan Paths This feature allows a user to specify Whitelist or Backlist paths. If using the Whitelist, the paths specified will be the only paths that will be investigated by the scanner. All other paths will be ignored. If using the Blacklist, the specified paths will be ignored and all other paths will be investigated by the scanner. Use this feature with caution. By using the Scan Path Rules some of your paths will be excluded from the scan. Thus, the Secunia CSI will not alert you towards excluded insecure programs, even if they potentially expose your hosts to security threats. It is not possible to use both a Blacklist and a Whitelist at the same time. 5.4.2 Ignore Rules Through this feature the user can create and maintain 'Ignore Rules' for excluding specific content from results and reports. These ignore rules can be applied to backup directories or inactive programs. Once you have configured an 'Ignore Rule', press 'Save' to make the rule effective. The rule will be applied to all new scan results generated by the Secunia CSI. 6. Completed Scans This option gives you a complete list of all performed scans, including the result of those scans. The sorting of both lines and columns can be defined by the user, thus allowing the user to create the layout that best suits their needs. The column's position can be modified by dragging and dropping the selected column to the desired position.

14/44

To see the details of a scan result, double click or right-click on an entry of the presented table. A new window similar to the one shown below will be displayed.

Programs matching the conditions defined in 'Filter Scan Results' will be excluded from scan results, meaning that the Secunia CSI will not provide information about insecure programs that are potentially exposing your IT environment to security threats. 7. Results 7.1 Sites This view will display all the Sites maintained within your account. You can easily double click a Site name to see its hosts. By rightclicking a Site you can change or view its hosts. Scanned hosts will be grouped in a Site with the same name as the domain they log on to. You can easily right-click a Site to change its name if you prefer to use a different naming standard. In this view you can also compare the performance of the different Sites over a specific time frame, by selecting which Sites you would like to see displayed in the Trend Reporting section.

15/44

7.2 Hosts This view will show all the hosts maintained within your account. Double click a host in the presented table to view additional details about the programs installed on that particular host, as well as the current security state of those programs. From this view you can easily move hosts to a new or existing Site by right-click the host name and choosing 'Edit Site'. A graph showing the evolution of the selected host will also be displayed. To generate a graph for more than one host, do a multiple selection of the hosts that you would like to view in the chart area (up to 15 hosts simultaneously).

7.3 Programs and Operating Systems By selecting 'Programs' or 'Operating Systems', you can easily see all the Programs or Operating Systems found through the CSI scans. For a matter of convenience the found software is sorted in accordance with its security status: Insecure, End-of-Life or Patched. 7.3.1 All In this screen you are presented with a list containing all the unique Programs / Operating Systems installed on the scanned hosts. Double click in any row to view a full report with extensive details about the actual hosts, versions, and security states. 7.3.2 Insecure This view lists all unique Insecure programs installed on the scanned hosts, including their criticality rating. Double click in any row to view a full report with extensive details about hosts, versions, and security states. 7.3.3 End-of-Life This view lists all unique End-of-Life programs installed on the scanned hosts, including their criticality rating. Double click in any row to view a full report with extensive details about the actual hosts, versions, and security states. 7.3.4 Patched This view lists all unique Patched programs installed on the scanned hosts. Double click in row to view a full report with extensive details about the actual hosts, versions and security states. 7.4 Categories This feature allows the user to create and manage software categories. By having different categories you can easily identify specific software that was found during the scans. To add a software product to a previously created category, simply drag and drop the product into

16/44

the desired category. The categories created can be used to easily find specific products from the the scan results. To do so, go to 'Results-> Programs-> All' and select the category to filter the programs being listed. Based on the result of the filter you can now right-click and select 'View installations'.

8. Reports This section groups the Secunia CSI reporting features, namely the 'Dashboard', the 'Change Summary', the 'Generate Reports' and 'View Scheduled Reports'. In the next sections a more detailed explanation for each of these features will be given. 8.1 Dashboard The Dashboard is the main window of the CSI GUI that summarizes information collected by the Secunia CSI. The information presented in the dashboard can be customised in order to better suit the user's needs. This customisation is done by adding or deleting the available 'portlets'. Each 'portlet' provides specific information. To better manage the information presented in the Dashboard, a user can create several profiles. Each profile stores information about the 'portlets' being displayed - for convenience, a user can create and alternate between several dashboard profiles. For each dashboard profile created, a static URL is available. The user can use the static URL to publish the dashboard into another system simply by copying the Static Dashboard URL.

17/44

8.2 Change Summary This feature allows you to receive e-mails containing a Change Summary that covers changes related to added/removed programs, updated programs, and insecure programs.

8.3 Generate Reports This feature contains a three step wizard to schedule report generation based on the state of all hosts and programs associated with your account at the time of generation Step 1 Choose the type of report. Step 2 Select which hosts or programs you would like to include in the report. If in the previous step you have selected the Executive Summary Report, step 2 is not applicable. Step 3 Select the report options (if any) that are specific to the type of report selected in step 1. Optionally you can also choose a file name that will be used to name the .PDF file containing the report.

Select if you want to schedule the report and its recurrence and/or if you want the report to be emailed as soon as possible.

Specify the recipients for the report or select the e-mail address entered in 'Configuration-> Settings'. Once this is done, press the 'Schedule Report Generation' button. At any time you can go directly back to step 1 and start over by pressing the 'Return to step 1' button. Data entered without scheduling a report will not be saved or persist.

18/44

All the reports available through this feature are provided in .PDF format and will be e-mailed to the defined e-mail addresses in accordance with the schedule and recurrence specified. The emails containing the .PDF reports will be sent from no-reply@secunia.com 8.4 View Scheduled Reports In this feature you can see all the report generation schedules that were set up. Right click on a given schedule to delete it from the database.

The 'Reporting On' and 'Email Recipient List' fields may be long - in this event, you can mouse over the value to see the entire field. You can also remove any fields from the view if desired by click in a column name and selecting which fields should be added/removed. 9. Patch The following sections are dedicated to the Patch Management functionality available in the Secunia CSI. The features related to Patch Management are accessible from the tree Menu located on the left hand side by expanding the Patch section. 9.1 Create This feature shows programs that have Insecure or End-of-Life installations. To see the complete list of programs that should be patched, please clear the check box: 'Show only Insecure/End-of-Life programs for which update packages can be automatically created'. To create an update package, double click or right-click on the program you wish to update. The Create Update option will be displayed.

19/44

If you choose to patch one of the greyed out products, a warning message will be displayed. These programs are greyed out because the vendor doesn't provide silent installation parameters. If you choose to proceed, you must provide the .MSI/.MSP/.EXE file that will be used by the Secunia CSI to create and publish the update. This file should be a custom package that you have created.

In the Create Update window, select the installations you wish to update (use CTRL + mouse click for multiple selection). When finished, press the 'Next' button.

In the next window you will be presented with the link to download the patch directly from the vendor's site. If you choose to patch a product for which the vendor has not provide the silent installation parameters, these will not be available.

After downloading the patch, browse to the file that you have just downloaded. If you did not download the patch from the vendor, you should select the custom made package (.exe/.msi/.msp) that the Secunia CSI will repackage and publish to WSUS. After selecting the correct file, you can edit the silent installation parameters if you wish to. Press the 'Next' button to continue. In the next dialogue message you will have the opportunity to change the package name.

20/44

If you wish to proceed, press 'Finish'. The created package will now be published to your WSUS server. Go to 'Available' from the menu on the left to view all published updates.

If using Microsoft System Center Configuration Manager (SCCM), the package created with the Secunia CSI will be available in your SCCM. In the example below the package created with the Secunia CSI is available in SCCM after running a synchronization at the 'Update Repository' level. The title of the update will include the criticality of the vulnerability addressed by that specific update.

9.2 Available In this screen you are presented with all the locally created packages that are available for your clients. Double click a package from the list below to view additional details about its status.

Or right-click for more options, such as Approve, Decline or Delete.

21/44

9.3 Deployment In this screen you are presented with a host's information collected from the WSUS Server. By double clicking a host in the list you can view additional details about its 'Scan Result', 'Patch Information', 'Patches Available' and 'Overview'.

Also, by right-clicking in a host listed in this view, you can perform actions such as: verifying the additional information stated above or 'Verify and Install Certificate', thus installing the required Certificate on the selected hosts.

In order to successfully install certificates, make sure you have started the Secunia CSI with Domain Administrator privileges. In Vista, Windows7 or Windows 2008, this should be done by right-clicking on the CSI icon and selecting 'Run as administrator'. Also, note that the Remote Registry must be enabled on the hosts for which you intend to install the certificate using the CSI GUI. The WSUS Self-Signed certificate can also be installed through a Group Policy. Please check our online FAQ for detailed instructions.

22/44

9.4 Configuration In this section you should provide the relevant information (IP-address / DNS-name) regarding the WSUS1 server you wish to use. After inserting the necessary information, press 'Save and Connect'. If the connection is successful a message box will be displayed. Please note that the port number used to connect to your WSUS depends on your settings. Ports 80 or 8530 are commonly used.

If you have a WSUS architecture with several downstream WSUS replicas, be aware that you should first connect to main WSUS and install the 'WSUS Self-Sign Certificate'. After that, 'Export' the certificate and 'Import' it with the Secunia CSI to all downstream servers. After importing the certificate to all downstream servers, connect again to the main server. The updates created with the Secunia CSI must be always published to the main server. In order to use the 'Import Signing Certificate' feature, your WSUS server must be configured to accept SSL connections. 9.4.1. Create/Install Certificate In order for the clients to consider the locally created updates, a signing certificate must be created for the WSUS. The Secunia CSI will search for that and if the WSUS Self-Sign Certificate does not exist, the following message will be displayed. Click the 'OK' button to install the Certificate.

1 Please note: If having a main WSUS server linked to several WSUS replicas, the Secunia CSI should be connected to main WSUS server so that the updates get replicated to the downstream WSUS.

23/44

If you press 'Cancel' a 'Create Signing Certificate' button will appear on the 'Patch-> Configuration' screen, allowing you to create that afterwards. If you choose to proceed, the following message will be displayed. Press 'OK' to create the WSUS Self-Sign Certificate.

After pressing the 'OK' button, the certificate is created on the WSUS server and is ready to be installed both locally on the system running the Secunia CSI and on the hosts receiving the updates.

If no certificate is installed on the system running the CSI, the previous button 'Create Signing Certificate' will now be labelled 'Install Certificate'. Press the 'Install Certificate' button to install1 the certificate locally. If you would like to use your own certificate you can do so by using the Import Signing Certificate button. In order to import a certificate through the Secunia CSI, the WSUS connection must be configured to accept SSL connections. 9.4.2. Certificate Distribution The Secunia CSI is designed to easily distribute the WSUS Signing Certificate to all clients through a GPO check 9.4.3. WSUS Group Policy for more details. It is also worth mentioning that the certificate must be installed in the following systems:

WSUS Server (9.4.1. Create/Install Certificate - 'Create Signing Certificate') The system running CSI2 (9.4.1. Create/Install Certificate - 'Install Certificate') Clients receiving the Updates

Besides distributing the certificates through the CSI WSUS GPO, it is also possible to install the certificate in the target computers by going to 'Patch-> Deployment', selecting the target computers where the certificate is to be installed (CRTL+ mouse click for multiple selection) and then right-click and select 'Verify and Install Certificate'. If you prefer to create your own Group Policy to distribute the WSUS Signing Certificate, please refer to our online FAQ. 9.4.3. WSUS Group Policy After installing and creating and the WSUS Self-Sign Certificate, the Secunia CSI will search in your Domain Controller for the CSI WSUS Group Policy. If no such GPO exist, the following message will be displayed:
1 When installing the Certificate via the CSI console, please make sure that CSI was launched with 'Run as administrator' (applicable in Windows Vista, 7 and 2008). Remote Registry is needed to install the certificates (in Vista and Win7 this service is disabled by default). 2 Note that the certificate must also be installed on the system running the CSI console.

24/44

If the user chooses to 'Cancel', the CSI WSUS Group Policy will not be created. This option should only be chosen if other GPOs configuring the Windows Updates through a WSUS server already exist. In this case, please edit the existing GPOs in accordance with section 4.1.5 Setting Up Clients to Access WSUS of this document and also make sure that the required certificates are properly installed in accordance with section 9.4.2. Certificate Distribution. If a GPO configuring the WSUS does not exist, press 'OK'. The following message will be displayed.

Choose the options that you would like to enable in accordance with your environment. If you use Microsoft SCCM please make sure you do not check the first option 'Use the WSUS Server specified in the CSI'. If creating the CSI WSUS Group Policy for the first time and if no other GPOs configuring your WSUS exist, proceed by selecting all the options. After pressing the 'OK' button, the following message will be displayed:

If you already have the Windows Updates being configured through a Group Policy, we suggest you check the first 3 options in the 'Create a new CSI WSUS Group Policy' window. Then the CSI WSUS Group Policy will be created but not linked to your domain. This way you can easily check the details of the newly created GPO and verify that the existing WSUS GPO's are correctly configured. 9.5 Agent Deployment If you choose to scan the target host by using the Secunia CSI Agent in Single Host Mode (recommended), you can easily distribute and install the agent by deploying it through WSUS. To start the CSI Agent Package wizard click 'Create CSI Agent Package'.

25/44

In the wizard window, download the Secunia CSI Agent setup file by clicking in the link 'CSIASetup.exe'. Once the 'CSIASetup.exe' has been downloaded, locate the file using the 'Browse' button. The silent install parameters will be automatically included by the wizard. Additional parameters can be included by filling the correspondent fields. Click the 'Finish' button to create an installer package.

After the package has been created, it will appear in the list of packages in 'Patch-> Available'. Right-click on the package name in order to manage it just like any other package created by the Secunia CSI.

10. Configuration This section is dedicated to the CSI Settings, the Suggest Software and Reset Password features. 10.1 Settings In this screen you are able to configure the Secunia CSI to fit your preferences, namely: The option to start the Secunia CSI automatically with the system start-up.

26/44

 Define the number of simultaneous scan threads. Please note that the number of

simultaneous scan threads will not affect the scans being performed by the CSIA (Agent), since these scans are made locally by the agents. Specify the default e-mail address for the recipients receiving the reports. See section 8.3 Generate Reports. Manage the behaviour of the Windows Update Agent (WUA). The Secunia CSI will make use of the information gathered by the WUA when checking for missing Microsoft updates.

Be aware that this setting may affect your scan results, i.e. setting the WUA to use a WSUS that is not completely up to date may result in missing important updates information.
If you wish to enable the CSI logging feature, which is useful when troubleshooting any

issue that you may experience, please check the option 'Enable Logging'. In the event of a support request you send the log file together any other relevant information to CSC@secunia.com

27/44

10.2 Suggest Software Using the provided form you are able to send details about software that you would like to be added to the Secunia File Signature database, the same database used by the Secunia Corporate Software Inspector. Please note that it is important to enter as much information as possible, thus facilitating the processing and acceptance of your request.

10.3 Reset Password The form presented allows you to change your password with Secunia. Please note that passwords must be at least 8 characters in length. 11. Support 11.1 Manual & FAQ This feature provides information about available manuals and FAQs. 11.2 Microsoft WSUS This feature provides links where you can obtain more information about setup, installation, and general usage of Microsoft WSUS. 11.3 Changelog The Changelog feature provides information about the changes made to the Secunia CSI since the previous release. In this screen the user also has access to a link to the online forum. The forum can be used to post user's feedback. All feedback is most welcome! 11.4 Contact Information This feature provides the contact information if you need to contact Secunia. 12. Secunia Advisories 12.1 About Secunia advisories Explanation of terms used within Secunia advisories. 12.2 From (attack vector) From Local System Local system describes vulnerabilities where the attack vector requires that the attacker is a local user on the system. From Local Network From local network describes vulnerabilities where the attack vector requires that an attacker is situated on the same network as a vulnerable system (not necessarily a LAN). This category covers vulnerabilities in certain services (e. g. DHCP, RPC, administrative services etc. ), which should not be accessible from the Internet, but only from a local network and optionally a restricted set of external systems.

28/44

From Remote From remote describes vulnerabilities where the attack vector does not require access to the system nor a local network. This category covers services which are acceptable to expose to the Internet (e. g., HTTP, HTTPS, SMTP) as well as client applications used on the Internet and certain vulnerabilities, where it is reasonable to assume that a security conscious user can be tricked into performing certain actions. 12.3 Criticality Extremely Critical (5 of 5): Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. These vulnerabilities can exist in services like FTP, HTTP, and SMTP or in certain client systems like email programs or browsers. Highly Critical (4 of 5): Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers. Moderately Critical (3 of 5): Typically used for remotely exploitable Denial of Service vulnerabilities against services like FTP, HTTP, and SMTP, and for vulnerabilities that allow system compromises but require user interaction. This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet. Less Critical (2 of 5): Typically used for cross-site scripting vulnerabilities and privilege escalation vulnerabilities. This rating is also used for vulnerabilities allowing exposure of sensitive data to local users. Not Critical (1 of 5): Typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities. This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g., remote disclosure of installation path of applications). 12.4 Impact Brute force Used in cases where an application or algorithm allows an attacker to guess passwords in an easy manner. Cross-Site Scripting Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system. Different Cross-Site Scripting related vulnerabilities are also classified under this category, including 'script insertion' and 'cross-site request forgery'. Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.

29/44

DoS (Denial of Service) This includes vulnerabilities ranging from excessive resource consumption (e.g., causing a system to use a lot of memory) to crashing an application or an entire system. Exposure of sensitive information Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote. Exposure of System Information Vulnerabilities where excessive information about the system (e.g., version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally. Hijacking This covers vulnerabilities where a user session or a communication channel can be taken over by other users or remote attackers. Manipulation of Data This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access. The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries. Privilege Escalation This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users. This typically includes cases where a local user on a client or server system can gain access to the administrator or root account, thus taking full control of the system. Security Bypass This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application. The actual impact varies significantly depending on the design and purpose of the affected application. Spoofing This covers various vulnerabilities where it is possible for malicious users or people to impersonate other users or systems. System Access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Unknown Covers various weaknesses, security issues, and vulnerabilities not covered by the other impact types, or where the impact isn't known due to insufficient information from vendors and researchers. 12.5 Other Frequently Used Terms The term users generally refers to authenticated users to the operating system or the application affected. This includes anonymous users when talking about FTP and similar. The term people generally refers to people who are able to make network connections but who are not authenticated.

30/44

13. Technical Support Contact Secunia's security experts with any questions regarding advisories or vulnerabilities affecting your systems by opening a new support case. To do so, please send an e-mail to Secunia Customer Support Center: csc@secunia.com In order to have your questions answered as soon as possible, please first check our online FAQ located at http://secunia.com/products/corporate/csi/faq40

31/44

Appendix A: FAQ Q: The Secunia CSI seems to hang during start-up? A: You may need to add this entry to Internet Explorer Trusted Sites: https://csi.secunia.com If connecting through a proxy, please see Appendix B: Proxy Settings. Q: How do I deploy agents to all my hosts? A: Please refer to section 9.5 Agent Deployment or to Appendix C: Deploying Agents on a Network via GPO. Q: How do I get technical support? A: Support is available by e-mail, please send your questions/feedback/comments to csc@secunia.com. Q: How do I delete a Site? A: in order to delete a Site, the user can rename the existing or he can move the host into another site. When all hosts have been moved, the original Site will be automatically deleted. Q: How do I delete an IP address from a scan group? A: From the 'Scan Now' menu, click the relevant scan group, go to the Hosts & IPs tab and after selecting the IP to be deleted, press 'Delete Selected'. Q: Suggest Software does not work in IE8 A: This is most likely because https://csi.secunia.com/ needs to be in the trusted sites in IE. Q: The agents that I have installed are no longer checking in what happened? A: Make sure that you have installed the Agent with L switch, i.e., csia.exe -i -L If you are a member of a domain and you don't use the -L switch, the service will be installed with the user performing this action, thus granting the 'logon as a service' privilege. However, this privilege will usually get removed after the next GPO background refresh since domain policies will not allow it. This will cause the agent to stop working afterwards. Q: I cannot download the CSI Agent 'csia.exe' even though I have added https://csi.secunia.com to my trusted sites. What to do? A: Verify that the following Internet Setting is not enabled: Internet Options-> Advanced (Scroll down to Security)-> (Uncheck 'Do not save encrypted pages to disk'). Q: I am not able to find my answer in this FAQ? A: Please check our online FAQ in http://secunia.com/products/corporate/csi/faq40 which is more comprehensive and up-to-date. If still having problems, please contact us at CSC@Secunia.com

Check our online FAQ at http://secunia.com/products/corporate/csi/faq40 and find the most up to date and compreensive information that will help you in getting answers to your questions.

32/44

Appendix B: Proxy Settings CSI GUI/console through proxy The Secunia CSI uses Internet Explorer proxy settings only. Set these by opening Internet Explorer and select 'Tools-> Internet Options-> Connections-> LAN Settings-> Proxy Server'. Agents Through Proxy Generally the agent will inherit proxy settings from Internet Explorer. However, depending on the proxy server and authentication mechanism used, you may have to perform one of the following actions: To produce a help screen showing proxy settings: csia.exe -h To specify only proxy setting from the command line: csia.exe -i -L -x proxy:port To specify proxy settings with user authentication from the command line: csia.exe -i -L -x proxy:port -U username:password

33/44

Appendix C: Deploying Agents on a Network via GPO The CSI agent can be easily deployed via an AD Group Policy Object definition, controlling a common logon script. Shown below are examples of a GPO and logon/start-up script, which must both be adapted to your specific needs. Example of a Logon Script csiadeploy.bat Generally you can create a file for deploying the CSI Agent (csia.exe) through a common logon script that will install the csia.exe on the PCs at logon, unless the agent is already installed. Save the below content in a file named csiadeploy.bat
@echo off if EXIST c:\Program Files\Secunia\CSI\csia.exe GOTO end if not EXIST c:\Program Files\Secunia\CSI\ md c:\Program Files\Secunia\CSI\ copy%LOGONSERVER%\NETLOGON\csia.exe c:\Program Files\Secunia\CSI\csia.exe c:\Program Files\Secunia\CSI\csia.exe -i -L :end

Make sure that the csia.exe is in your preferred network-mount. If changing the csia.exe install path, never install it where users have write access as this may result in privilege escalation. Often used options/switches Producing a help page: csia.exe -h For installing the agent: csia.exe -i -L For use with proxy, no credentials: csia.exe -i -L -x proxyIP:port For use with proxy, using credentials: csia.exe -i -L -x proxyIP:port -U username:password For adhoc scan: csia.exe -c -L

34/44

Creating a controlling AD GPO Step 1: Open the GPO Policy Management Editor to create a GPO in your domain:

Step 2: Create a group policy (GPO) in your domain named CSIagent-deploy.

35/44

Step 3: Right click the created GPO and select Edit-> CSIagent-deploy (the GPO that was created in the previous step) to add the script. Expand User Configuration-> Windows Settings-> right-click Logon ->Properties

Step 4: In Logon Properties click Show Files and drag and drop the csiadeploy.bat file. Note: In this example the file used is the same file that was mentioned in the beginning of this Appendix. A different file may be used in accordance with the user preferences. In Logon Properties select 'Add' and click 'Browse' to add the csiadeploy.bat file.

36/44

Step 5 : Apply for adding the file.

Step 6 : Verify the created GPO by clicking in CSIagent-deploy-> Settings-> Expand Logon

Test the created GPO by doing a Logoff/Logon with a computer that connects to your ADdomain, after the Logon the CSIA.exe should be installed on the computer being used. A service named Secunia CSI Agent should now be running on the computer.

37/44

Appendix D: Setup Examples CSI - Your CSI graphical user interface. CSI-Agent - The csia.exe installed in Agent mode. CSI-Appliance mode - The csia.exe installed in Network Appliance mode.

38/44

Appendix E: Install the WSUS Administration Console Depending on the previous installation on the machine installing 'Visual C runtime' and/or 'Microsoft .NET runtime V2.0 SP2 for x86 CPUs' might be necessary. Start installation of WSUS 3.0 SP2. When prompted select 'Administration Console only'

Approve all default settings and finish the installation.

39/44

Appendix F: User Management The User Management feature is not part of the default Secunia CSI configuration. Through this feature the CSI main account is able to create other CSI accounts. For illustration purposes consider the following diagram representing a decentralized team responsible for identifying, assessing and patching vulnerabilities. Your Account EMEA ASIA PAC USA LATAM This organization can be mapped into the Secunia CSI by creating several user accounts, as in the picture below: Read/Write Read Read

Shadow Account

To create a new user account, press the button 'New account' and filling the form, providing all the necessary details about the user. To delegate the administration of one account to another account, in this case USA->LATAM, the USA account must be created with the setting 'User Type: Administrator with 1 account' and the LATAM account must be created with 'Administrator: USA'. When done, press the 'Submit Form'. An e-mail will be sent to the user e-mail address containing a welcome message and the login credentials to the Secunia CSI. A shadow account can be created in same way a normal account is created. This type of account is able to logon and access the information of a normal account (i.e., for audit purposes or to avoid sharing credentials). When creating a shadow account you can specify the type of access (R/RW). The Administrator account is able to access information from any specific account for which it is responsible. To do so, press the button 'Imitate user' and select the account you would like to access. The data being displayed will be the data of the account that you have chosen to imitate. To return to your account, press 'Imitate User' and select 'Your Account'. If you would like to have the User Management feature enabled in your Secunia CSI, please contact your Secunia Sales Representative.

40/44

Appendix G: Accessing the CSI Local Database When the CSI Console (Graphical User Interface) is installed, a local database is created. This local database is kept in synchronization with a similar database hosted by Secunia. The synchronization process is done via SSL protocol with 256 bit encryption. It is possible to pull custom data and reports from the local Secunia CSI database containing the scan results generated by your Secunia CSI. The local database is in SQLite format. To access the database you can download a free SQLite console from SQLite.org (or use your favourite sqlite tool). Once connected to the CSI database file, the SQLite console will enable you to run queries directly against the CSI results. After downloading the console, you need to locate the database file. The database file is placed in the following folder: %APPDATA%\Secunia CSI The CSI database will be the largest file with a random name, located in the mentioned folder. Example: The following scenario is just an example on how to use the Secunia CSI local database, but this can of course be customised to meet other needs. Start by downloading and unzipping the 'sqlite' console. Download available from: http://sqlite.org/. If 'sqlite3.exe' is placed on your desktop, the following steps are suitable for a Windows XP system.
1) Open a command console and go to your Desktop folder. 2) Run this command (the sql for query.txt is below): sqlite3.exe -header -csv "..\Application Data\Secunia CSI\SqliteLocaldbFile" < query.txt > output.txt 3) 'output.txt' should now contain the CSV content.

The below SQL query should be copied into a file, query.txt (Save this content in a file named query.txt in the same directory as sqlite3.exe)
SELECT host AS Host, langroup as 'Group', product_name as Program, version as Version, path as Path, CASE WHEN eol > 0 THEN 'End-of-Life' ELSE ( CASE WHEN secure = 0 THEN 'Insecure' ELSE 'Patched' END) END AS 'State', 'SA' || vuln_id AS 'SAID', vuln_criticality as Criticality, vuln_create_date as 'SA Issued', vuln_count as Vulnerabilities FROM nsi_devices, nsi_device_software WHERE nsi_devices.nsi_device_id = nsi_device_software.nsi_device_id ORDER BY

product_name, path;

41/44

Appendix H: CSI Agent Single Host Mode & Appliance Mode CSI Agent Single Host Mode The Secunia CSI Agent is a standalone executable file that can be run both using its command line version, or installed as a service that automatically connects to the Secunia Data Center. By connecting to the Secunia Data Center you can easily scheduled inspections. CSI Agent - Network Appliance Mode Is the recommended solution for scanning one or more networks at scheduled intervals. If the user administrates several networks he can install the Secunia Agent in Network Appliance mode one each network. Afterwards he will be able to scan all hosts on each network at scheduled intervals, all manageable from your Secunia CSI interface. Getting Started Once the agent has been downloaded into the target system, the user can access the agent by opening a command prompt. In the directory where the Secunia CSI Agent is placed the following command can be used to see the agent help: >csia.exe or csia.exe -h A set of options should appear, along with brief explanations on how to use each option. Description of the Single Host Mode Agent To successfully run the Secunia CSI Agent from a computer the following requirements are must be met: Administrative privileges Network/Internet connection Windows Update Agent 2.0 Access to https://csi.secunia.com The Secunia CSI Service can be installed or removed by using the -i and -r command line options. When installed the Secunia CSI agent uses less than 10 Mb of memory. It takes more memory to check your email or scan your directories than it does to run the Secunia CSI agent. The Secunia CSI Agent can also be used to inspect the local-host by running it with the -c command line option. The User can also choose to run the Secunia CSI Service with the Local Service account (using the -L option) or with a specific user (using the -R option). Scan Options The user may prefer to specify different inspection options for more thorough results. Choose Inspect applications in default locations (-t 1 in the command line), if you wish to conduct the fastest possible inspection. This result in the inspection finding only applications installed in known-default locations. Choose Inspect applications in non-default locations (-t 2), if you wish to Inspect and detect applications installed in non-default locations. This option is highly recommended in cases where applications may be installed outside their standard path such as the Program Files directory. Choose Inspect all .dll, .exe, and .ocx files (-t 3), if you wish your inspection to cover every single mentioned file type. You can easily change the agent scan type from within the CSI GUI under Agent Management.

42/44

Scheduling Inspections From the Secunia CSI Console the user can easily schedule automatic scans as long as the target hosts have the Secunia CSI Agent installed as a service. See section 5.2.1 Single Host Agents. Connectivity Options If the target host is behind a proxy or unable to reach Secunia using HTTPS, you may need to specify the proxy server. This can be quickly done by running the Secunia CSI Agent with the -x option, which allows you to set up the proxy server host name and port, along with any required credentials. Results & Reports Scan information is automatically presented in the Secunia CSI Console. From the CSI Console you can generate reports and/or extract statistics based on the scan results. See section 8. Reports. Data Export Options It is possible to export the inspection results into XML or CSV format which can then be exported into another application. To export the results in XML format, use the -ox <file> command, where <file> is the file name of the exported file. To export the results in CSV format, use -oc <file>. Example Below is an example of the commands used both to install the Agent and to run an Adhoc scan: >csia.exe -i -L Installs the CSIA in Single Host Mode and performs a first scan. Hosts scanned in Single Host Mode will show in 'Scan-> Scheduled Scanning-> Single Host Agents'. >csia.exe -c Adhoc command line scanning, when using a custom scheduler, logon scripts, etc.

43/44

Description of the Network Appliance Mode Agent To successfully run the Secunia CSI Agent in Appliance Mode, the following requirements must be met: Administrative privileges Windows Update Agent 2.0 Workstation and Server Service Remote Registry Service File and Print Sharing COM+ Ports 139/tcp and 445/tcp open inbound Example Below is an example of a typical installation of the CSI Agent in Appliance Mode: >csia.exe -A -i (Installation of the Appliance Agent must be done by a user with admin rights to the target hosts) After installing the Agent in Network Appliance Mode the user should wait a few moments until the agent shows up in the Secunia CSI Console like mentioned in section 5.2.2 Network Appliance Agents. If the user wishes to install the agent in Network Appliance mode but with a different account rather than the one currently logged in, the following command can be used: >runas /user:account@company.com "csia -A -i -R account@company.com" Scheduling Inspections From the Secunia CSI Console the user can easily schedule automatic scans to the target hosts. See section 5.2.3 Network Appliance Groups for further details. Connectivity Options If the system running the Secunia Agent in Network Appliance Mode is behind a proxy or unable to reach Secunia using HTTPS, you may need to specify the proxy server. This can be quickly done by running the Secunia CSI Agent with the -x option, which allows you to set up the proxy server host name and port, along with any required credentials. Privacy All communication between the Secunia CSI Agent and Secunia is encrypted using SSL protocol with 256 bit encryption. See section 3.1 The Scan Process how does it work for futher details. Security Considerations The Secunia CSI Agent is a standalone executable file and is not installed on your systems using a standard installer provided by Secunia. Therefore, you need to note that there may be local security implications on multi user systems, if you choose to save the executable file in a publicly writeable directory.

44/44