Vulnerable software how to fix. Defining vulnerable software on client computers. Intelligent Scan Settings Management

When starting intellectual scanning avast. Check the PC for the presence of the following types of problems, and then offer options for eliminating them.

  • Viruses: Files containing malicious codewhich may affect the safety and performance of your PC.
  • Vulnerable to: programs requiring updates that can be used by attackers to access your system.
  • Browser expansion with bad reputation: Extensions of the browser, which are usually installed without your knowledge and affect system performance.
  • Unreliable passwords: Passwords that are used to access more than one account on the Internet and can be easily hacked or compromised.
  • Network threats : vulnerabilities of your network that can make possible attacks on your network devices and router.
  • Problems with performance: Objects ( unnecessary files and applications, configuration problems) that may prevent PC operation.
  • Conflicting Antivirus: Antivirus programs installed on a PC with Avast. The presence of several antivirus software Slows down the work of the PC and reduces the effectiveness of anti-virus protection.

Note. Solving certain problems detected during intellectual scanning may require a separate license. Detection of unnecessary types of problems can be disabled in.

Solving problems detected

The green checkbox next to the scan area shows that the problems associated with it are not detected. Red Cross means scanning revealed one or more related problems.

To view specific information about discovered problems, click Element Solve everything. Intelligent scanning shows information about each problem and offers the ability to fix it immediately by clicking the element Decideor do it later by clicking Skip this step.

Note. Anti-virus scanning logs can be seen in the scan history, go to which you can by choosing Antivirus protection.

Intelligent Scan Settings Management

To change the intelligent scan settings, select Settings Common Intelligent Scanning And specify, for what of the listed types of problems you want to perform an intelligent scanning.

  • Viruses
  • Outdated by
  • Browser add-in
  • Network threats
  • Compatibility issues
  • Problems with performance
  • Unreliable passwords

By default, all types of problems are included. To stop checking for a specific problem when performing an intelligent scan, click the slider Included Next to the type of problem so that it changes the state to Turned off.

Click Settings Next to the inscription Scanning for virusesTo change the scan settings.

Another way to look at this problem is that companies must respond quickly when the application has a vulnerability. It requires that the IT department be able to finally track installed applications, components and patches using automation and standard tools. There are sectoral efforts to standardize software tags (19770-2), which are XML files installed with an application, component and / or patch that identify the installed software, and in the case of a component or patch, which application they are part. Tags have reputable publisher information, version information, file list with file name, secure file hash and size that can be used to confirm that the installed application is in the system, and that binary files have not been changed by a third party. These labels are signed digital signature publisher.

When a vulnerability is known, IT departments can use their asset management software to immediately detect systems with vulnerable software and can take steps to update systems. Tags can be part of a patch or update that can be used to verify that the patch is installed. Thus, IT departments can use resources such as a national NIST vulnerability database as a means of managing their asset management tools, so that as soon as the vulnerability is sent by the company in NVD, the IT department may immediately compare new vulnerabilities with their To date.

There is a group of companies working through the Non-Profit Organization IEEE / ISTO called TagVault.org (www.tagvault.org) with the US Government, to the standard implementation of ISO 19770-2, which will allow this level of automation. At some point, these tags corresponding to this implementation are likely to be mandatory for softwaresold by the US government at some point in the next couple of years.

Therefore, in the end, good practice is not a publication about which applications and specific software versions you use, but this may be difficult, as indicated earlier. You want to make sure that you have an accurate, modern software inventory that it is regularly compared with the list of known vulnerabilities, such as NVID from NVD, and that the IT department can take immediate action to reminicate a threat, it is along with the latest detection intrusions, anti-virus scanning and other medium blocking methods, at least, it will be very difficult to compromise your environment, and if / when it happens, it will not be detected for a long period of time.

In some cases, the occurrence of vulnerabilities is due to the use of means of developing various origin, which increase the risk of diverting type defects in the program code.

Vulnerabilities appear due to the addition of third-party components or free source (Open Source). Alien code is often used "as is" without careful analysis and testing for safety.

It is not necessary to exclude the presence in the command-insiders commands that are intentionally contribute to the created product additional undocumented functions or elements.

Classification of program vulnerabilities

Vulnerabilities arise as a result of errors that have arisen at the design or writing stage of the program code.

Depending on the appearance stage, this type of threats is divided into design, implementation and configuration vulnerabilities.

  1. Errors made in design, the most difficult to detect and eliminate. This is the inaccuracies of algorithms, bookmarks, inconsistencies in the interface between different modules or in the interaction protocols with the hardware, the introduction of non-optimal technologies. Their elimination is a very time-consuming process, including because they can manifest themselves in non-obvious cases - for example, when the provided traffic volume is exceeded, or when connecting a large number of additional equipment, which complicates the provision of the required level of security and leads to the emergence of a firewall route.
  2. Implementation vulnerabilities appear at the stage of writing a program or introducing security algorithms into it. This is an incorrect organization of computational process, syntactic and logical defects. At the same time, there is a risk that the flaw will result in the overflow of the buffer or the appearance of a different kind of problem. Their detection takes a lot of time, and elimination implies the correction of certain sections of the machine code.
  3. Hardware configuration errors and software are very often. Their common causes are not enough high-quality development and lack of tests for correct operation. additional features. This category also can also be treated. simple passwords And the default accounts left without changes.

According to statistics, especially the vulnerabilities are found in popular and common products - desktop and mobile operating systems, browsers.

Risks to use vulnerable programs

The programs in which the greatest number of vulnerabilities are found almost on all computers. From the side of cybercriminals there is a direct interest in finding such flaws and writing for them.

Since from the moment of vulnerability detection, there is quite a long time, there is a fair amount of opportunities to infect computer systems Through bars in the security of the program code. At the same time, the user is just enough once to open, for example, a malicious PDF file with an exploit, after which the attackers will receive access to the data.

Infection in the latter case occurs according to the following algorithm:

  • The user gets in e-mail Phishing letter from the confidence of the sender.
  • An exploit file is invested in the letter.
  • If the user attempts to open a file, then a computer is infected with a virus, a trojan (encrypter) or another malicious program.
  • Cybercriminals receive unauthorized access to the system.
  • Targeted valuable data occurs.

Studies conducted by various companies (Kaspersky Lab, Positive Technologies) show that there are vulnerabilities in almost any application, including antiviruses. Therefore, the probability of establishing softwarecontaining the flaws of varying degrees of criticality is very high.

To minimize the number of breashes in software, you must use SDL (Secure Development LifeCycle, Safe Life Cycle Development). SDL technology is used to reduce the number of bugs in applications at all stages of their creation and support. Thus, when designing software, IB specialists and programmers simulate cyber threats to search for vulnerable places. During programming, the process includes automatic agents, immediately reporting on potential flaws. Developers strive to significantly limit functions available to unverified users, which helps reduce the surface of the attack.

To minimize the influence of vulnerabilities and damage from them, some rules must be performed:

  • Operatively install fixed fixers (patches) for applications or (preferably) auto mode Updates.
  • If possible, not to establish dubious programs, whose quality and technical support Call questions.
  • Use special vulnerability scanners or specialized antivirus features that allow you to search for safety errors and update software if necessary.

Vulnerability management is identification, assessment, classification and selection of solutions to eliminate vulnerabilities. The fundrament of vulnerabilities is the repository of information about vulnerabilities, one of which is a system of management of vulnerabilities of "prospective monitoring".

Our decision controls the emergence of information about vulnerabilities in operating systems (Windows, Linux / Unix-based), office and application software, equipment, information protection tools.

Data sources

The database of the vulnerability management system of "promising monitoring software" is automatically replenished from the following sources:

  • The data bank of the security threats of information (BDA BDI) FSTEC of Russia.
  • National Vulnerability Database (NVD) NIST.
  • Red Hat Bugzilla.
  • Debian Security Bug Tracker.
  • Centos Mailing List.

We also use an automated method of replenishing our vulnerabilities. We have developed a web page traver and a parser of unstructured data that every day analyze more than a hundred different foreign and Russian sources for a number. keywords - Groups in social networks, blogs, microblogging, media dedicated to information technologies and ensuring information security. If these tools find something that satisfies the search terms, the analyst manually checks the information and enters into the base of vulnerabilities.

Control of software vulnerabilities

With the help of the vulnerability management system, developers can monitor the presence and state of detected vulnerabilities in third-party components of their software.

For example, in the Secure Software Developer Life Cycle (SSDLC - Secure Software Development) Company Hewlett Packard ENTERPRISE Control of third-party libraries occupies one of the central places.

Our system tracks the presence of vulnerabilities in parallel versions / builds of one software product.

It works like this:

1. The developer sends us a list of third-party libraries and components that are used in the product.

2. We check daily:

b. Whether the methods of eliminating previously detected vulnerabilities appeared.

3. We notify the developer if the status or scoring has changed, in accordance with the specified role model. This means that different groups of the developers of one company will receive alerts and see the status of vulnerabilities only for the product over which they work.

The frequency of alerts of the vulnerability control system is adjusted arbitrarily, but when vulnerability is detected with CVSS-scoring, more than 7.5 developers will receive an immediate alert.

Integration with ViPnet Tias

The software and hardware complex VIPNET Threat Intelligence Analytics System automatically detects computer Attacks and reveals incidents based on coming from various sources of events information security. The main source of events for VIPNET Tias - VIPNET IDS, which analyzes the incoming and outgoing network traffic using the databases of the decisive rules of Am Rules developing "promising monitoring". Some signatures are written to detect the exploitation of vulnerabilities.

If ViPNet Tias detects an IB incident in which the vulnerability was opened, then all information associated with vulnerability is automatically entered into the incident incident card, including methods for eliminating or compensating for negative impact.

The incident management system helps in the investigations of IB incidents, providing analysts information about compromising indicators and potential affected information infrastructure assembly.

Monitoring availability of vulnerabilities in information systems

Another scenario of using the vulnerabilities management system is to check on demand.

The customer independently forms the scope of the system installed on the node (ARMS, server, DBMS, PAK SHI, network equipment) of system and applied software and components, and receives a report on the vulnerabilities and periodic alerts to the vulnerabilities and periodic alerts about their vulnerabilities. Status.

Differences of the system from common vulnerabation scanners:

  • Does not require the installation of monitoring agents on nodes.
  • Does not create a network load, since the architecture itself does not provide agents and scan servers.
  • Does not create a load on equipment, since the list of components is created by system commands or an open source lightweight script.
  • Eliminates the possibility of leakage information. "Perspective monitoring" cannot learn anything to reliably on the physical and logical location or functional purpose of the node in the information system. The only information that leaves the limits of the controlled perimeter of the customer is the TXT file with a list of software components. This file is checked for maintenance and loaded into the Suu by the customer.
  • We do not need to work the system accounts on controlled nodes. The information is collected by the node administrator on his own behalf.
  • Secure information on VIPNET VPN, IPSec or HTTPS.

Connecting to the management service of vulnerabilities "Perspective Monitoring" helps the Customer to fulfill the requirement of ANZ.1 "Detection, Vulnerability Analysis information system and the operational elimination of newly identified vulnerabilities "orders of the FSTEC of Russia No. 17 and 21. Our company is a licensee of FSTEC of Russia on the technical protection of confidential information.

Cost

The minimum cost is 25,000 rubles per year for 50 nodes connected to the system if there is an existing contract for connecting to

Currently, a large number of tools designed to automate the search for program vulnerabilities are developed. This article will consider some of them.

Introduction

Static code analysis is an analysis of the software that is performed above the source code of programs and is implemented without the real execution of the program under study.

Software often contains a variety of vulnerabilities due to errors in program code. Errors made by program development, in some situations, lead to a failure of the program, and therefore, the normal operation of the program is violated: it often occurs a change and damage of data, stop a program or even system. Most vulnerabilities are associated with improper processing of data obtained from the outside, or not sufficiently strictly verified.

To identify vulnerabilities, various tools are used, for example, static analyzers of the source code of the program, the overview of which is given in this article.

Classification of security vulnerabilities

When the requirement of the correct operation of the program on all possible input data is broken, becomes possible appearance So-called security vulnerabilities (Security Vulnerability). Protection vulnerabilities can lead to the fact that one program can be used to overcome restrictions on the protection of the entire system as a whole.

Classification of protection vulnerabilities depending on program errors:

  • Buffer overflow (Buffer Overflow). This vulnerability arises due to the lack of control over the output of the array in memory during the execution of the program. When a large data package overflows a limited buffer, the contents of foreign memory cells is overwritten, and fails and emergency exit From the program. At the location of the buffer in the process of the process, the buffer overflows in the stack (Heap Buffer Overflow) and the Static Data Area (BSS Buffer Overflow) are distinguished.
  • Tainted Input Vulnerability (Tainted Input Vulnerability). The vulnerability of "spoiled input" may occur in cases where the data entered by the user without sufficient control is transmitted to the interpreter of some external language (usually this is a UNIX Shell or SQL language). In this case, the user may thus set the input data that the launched interpreter will fulfill the wrong command that was assumed by the authors of the vulnerable program.
  • Errors format string FORMAT STRING VULNERABILITY). This type Protection vulnerabilities is a subclass of the vulnerability of "spoiled input". It occurs due to insufficient control of the parameters when using the format I / O functions of the PrintF, FPRINTF, SCANF, etc. standard Language Library. These functions are taken as one of the parameters a character string specifying the input format or output of the subsequent function arguments. If the user itself can set the formatting type, this vulnerability may occur as a result of the unsuccessful application of row formatting functions.
  • Vulnerabilities as a result of synchronization errors (Race Conditions). Multitasking problems lead to situations called "Race Status": a program that is not designed to perform in a multi-tasking environment, it may assume that, for example, the files used by it cannot change the other program. As a result, an attacker, on time, replacing the contents of these working files, can impose a program to perform certain actions.

Of course, in addition to the listed, there are other classes of protection vulnerabilities.

Overview of existing analyzers

The following tools apply to detect protection vulnerabilities in programs:

  • Dynamic debuggers. Tools that allow you to debug the program in the process of execution.
  • Static analyzers (static debuggers). Tools that use information accumulated during the static analysis of the program.

Static analyzers indicate those places in the program in which the error is possible. These suspicious snippets of the code can, both contain an error and turn out to be completely safe.

This article proposes an overview of several existing static analyzers. Consider more each of them.