Patch Auditing

Dynamic Remote Registry Auditing - Now you see it, now you don’t!

by Ron Gula on March 2, 2009

Recently, Tenable’s Research group added the ability for Nessus credentialed scans to automatically start and stop the Windows Remote Registry service. This blog entry discusses the technical and political ramifications of this new feature. Scanning Systems without the Remote Registry service running The Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. If the service is not running, reading keys and values from the registry won’t be possible, even with full credentials. Here is a screen shot of a Windows 2003 server that...

Misleading Patch Audits

by Ron Gula on February 20, 2009

I often tell Nessus users that patch auditing is more efficient and accurate than network scanning. And for the most part, this is absolutely true. However, there are several cases when patch auditing, or a lack of understanding of how patch auditing works, can actually give you bad data. This blog will describe the many subtle nuances to conducting patch audits. Where do patches come from? When I have the opportunity to interview potential new employees for Tenable, I often ask many questions about the differences between un-credentialed network scanning and credentialed patch auditing. I’m...

64 Bit Patch Audits for Windows 2003

by Ron Gula on August 22, 2008

Tenable's Research group recently added support to the Nessus ProfessionalFeed and HomeFeed to audit missing 64 bit Windows 2003 security patches via file version checks. File version checking is the most effective way to test a Windows system for missing patches. Nessus has been able to do this on most Windows OSes (including 64 bit Windows Vista and Windows 2008) for a long time and due to customer demand, we've added support for Windows 2003 64 bit systems. Tenable also recently improved the performance of the smb_hotfixes.nasl plugin to reduce network traffic. This will decrease the...

PatchDiff2 - High Performance Patch Analysis

by Ron Gula on June 26, 2008

Tenable Network Security has released PatchDiff2 for the IDA disassembler. PatchDiff2 can be used to compare the differences in patches provided by vendors in order to understand what has been modified and where previous security holes existed. In some cases, such as the recent MS08-030 release and re-release for Windows XP, a tool like PatchDiff2 can show that a patch update didn't actually modify anything. PatchDiff2 is provided FREE to the community in the hope that it will help research engineers to better analyze patches. Tasks performed by PatchDiff2 include: Display the list of...

UNIX Patch Auditing Over Telnet

by Ron Gula on November 8, 2007

One of the powerful features of Nessus is its ability to perform patch auditing for many different operating systems over many different protocols. Most Nessus users understand that Nessus supports UNIX audits with the Secure Shell protocol and that it can also log into Windows systems. This blog entry will discuss using Telnet as a method for Nessus to perform patch auditing. Who is Still Using Telnet? More organizations use Telnet than the average IT security professional realizes. There are a wide variety of international, licensing and compatibility issues that may have forced...