Home | Site Map

 

COMPUTER FORENSICS Forensic Services

Email Forensics

INCIDENT RESPONSE

TRAINING
CORPORATE SERVICES
ATTORNEYS

PRIVATE INVESTIGATORS

COMPUTER FORENSIC FAQ

COMMON MISTAKES

QUICK ANALYSIS PLAN

FORENSIC PROCESS

CASE STUDIES

CORPORATE CV

REQUEST A QUOTE

FORENSIC LINKS

 

ELECTRONIC DISCOVERY
E-DISCOVERY SERVICES

DISCOVERY CONSULTING

EXPERT WITNESSES
CASE STUDIES

EVOLUTION OF DISCOVERY

STATE OF THE LAW

E-DISCOVERY LAW

E-DISCOVERY LIBRARY

SPOLIATION CASE LAW

E-DISCOVERY NEWS

REQUEST INFORMATION

CORPORATE CV

 

DATA SECURITY
MAINFRAME SECURITY
APPLICATION SECURITY

NETWORK SECURITY

SECURITY ALERTS

END USER TIPS

SECURITY LINKS

 

SOFTWARE
MaxPatrol

KEY FEATURES

ACCURACY

SCAN QUALITY

PERFORMANCE

RELIABILITY

COMPARISONS

CASE STUDIES

DATABASE

UPDATE SYSTEM

DOWNLOAD

 

RESOURCES
CONTACT INFO
COMPUTER FORENSICS
ELECTRONIC DISCOVERY
PARTNERS
PRIVACY POLICY

TERMS OF USE

 

 

New MaxPatrol Demo Available!
New Demo version includes new intelligent algorithms for detection of blind SQL-injection vulnerabilities in ANY (including custom) web-applications.

 

Go to Demo Download page

 

PRODUCT COMPARISONS

PROFESSIONAL  SECURITY  SCANNER
Rocket Science, That's Just Our Hobby!
 

Introduction

 

The main criterion for determining the quality of a security scanner is, of course, the number of vulnerabilities it can detect. But a scanner should be judged not by the number its manufacturer claims, but by the number of vulnerabilities the scanner actually detects. For example, one important feature is the scanner's ability to identify services using non-standard ports, without which vulnerabilities known to the scanner cannot actually be revealed.
A second criterion is the number of false detections. There is no doubt that it is better to be over-prepared, but with a high number of false detections, security specialists or system administrators waste enormous amounts of time verifying detections and filtering out what they don't need.
The third criterion is convenience. Although some may ignore this as a less important factor than the others, in the end it saves time and energy by minimizing human error.
Tested Products

 

In this survey the following products were tested:

 

# Product Manufacturer, Link
1 IS - Internet Scanner 7.0 Internet Security Systems
 http://www.iss.net
2 LG - LanGuard 3.2 GFI
 http://www.gfi.com
3 Ns - Nessus 2.0.6 Renaud Deraison<
 http://www.nessus.org
4 NR - NetRecon 3.6 Symantec
 http://www.symantec.com
5 Rt - Retina 4.9.97 eEye Digital Security
 http://www.eeye.com
6 MP - MaxPatrol 7.0 Positive Technologies
 http://www.ptsecurity.ru
 

Before testing, each scanner's vulnerability databases were updated through the Internet with the most recent versions.

 

Checked Platforms

 

Servers using the following operating systems were analyzed by the scanners:
  1. RedHat Linux 7.2 (Enigma) 2.4.18 SMP
  2. Sun Solaris 7 (SPARC)
  3. Windows XP Professional
  4. Windows 2000 Server
  5. Windows 2000 Server (with port mappings from FreeBSD 4.7, RedHat Linux 8 and Windows XP Professional)
  6. Windows 2000 Professional (with HoneyPot installed and emulation of FTP, SSH, HTTP, POP3, NNTP services)
The last server in the list was specially configured to make analysis more difficult. When connecting to all services besides HTTP, it responded with a service banner. Identical responses were sent to all subsequent queries. HTTP service responded to queries with identical replies, with a random choice of "200 OK" or "404 Not Found".

 

Methods of Comparison
Vulnerability search quality is evaluated in points as follows:

 

Vulnerability Detected Falsely Detected
critical +3 -1.5
average +2 -1
available information +1 -0.5
 

For each false detection, 50% of points of the bonus for correct detection were subtracted based on the premise that a false response is not critical, but it does cause delays in the overall process of vulnerability removal.

Product user interface and operating convenience were assessed as follows:
  1. Ability to update scanner and vulnerability databases from Internet
  2. Built-in scan scheduler
  3. Availability of different scan profiles and capability of creating profiles designed for specific tasks
  4. Uses pause function in case of temporary network problems, as well as resume function starting from the same point (especially important when scanning large networks)
  5. Report formats designed for use by administrators and management
  6. Remote scanning capability through a client module connected to a scan server
Final results
 

Detailed tables with scan results are cited in APPENDIX A. Total points are as follows:

 

  IS LG MP Ns NR Rt
Total correct detections 74 39 133 111 39 89
Penalty for false detections -7 -1.5 -1.5 -16 -6.5 -7.5
Grand total
(with penalty subtracted)		 67 37.5 131.5 95 32.5 81.5
 
These data are easier to interpret when plotted on a chart:

 
 
Table of total functionality comparison results:
  IS LG MP Ns NR Rt
Update + + + + + +
Scheduler + - + - - -
Profiles + - + + - +
Scan Pause + - + - + +
Report Variety + + + + - +
Client-Server + - - + - -
 

As you can see, all the scanners scored almost identically in convenience and most other features, with the exception of LanGuard and NetRecon.

 

Comments

 

For speed of operation, the slowest product was Internet Scanner, followed by. MaxPatrol and Nessus. In speed, the three leaders were LanGuard, Retina and NetRecon. Of course, speed in a security scanner is among the least significant criteria. The first and most important indicator was and remains the quality of vulnerability detection.

 

Appendix A.

Testing Data For Network Scanners In Various Operating Systems

Due to the large size of this Appendix (nearly 300Kb), it is available in a separate file.

 
Copyright 2005 Global Digital Forensics