Software vulnerabilities. Smart scanning. Solving detected problems

In some cases, vulnerabilities arise due to the use of development tools of various origins, which increase the risk of sabotage-type defects appearing in the program code.

Vulnerabilities appear due to the addition of third-party components or freely distributed code (open source) to the software. Someone else's code is often used “as is” without thorough analysis and security testing.

One should not exclude the presence of insider programmers in the team who deliberately introduce additional undocumented functions or elements.

Classification of program vulnerabilities

Vulnerabilities arise from errors encountered during the design or writing phase. program code.

Depending on the stage of occurrence, this type of threat is divided into design, implementation and configuration vulnerabilities.

  1. Errors made during design are the most difficult to detect and eliminate. These are inaccuracies in algorithms, bookmarks, inconsistencies in the interface between different modules or in protocols for interaction with hardware, and the introduction of suboptimal technologies. Eliminating them is a very labor-intensive process, including because they can appear in non-obvious cases - for example, when the intended volume of traffic is exceeded or when a large amount of additional equipment is connected, which complicates the provision of the required level of security and leads to the emergence of ways to bypass the firewall.
  2. Implementation vulnerabilities appear at the stage of writing a program or implementing security algorithms into it. This is an incorrect organization of the computing process, syntactic and logical defects. There is a risk that the flaw will lead to a buffer overflow or other problems. Detecting them takes a lot of time, and eliminating them involves correcting certain parts of the machine code.
  3. Hardware and software configuration errors are quite common. Their common reasons are insufficiently high-quality development and lack of tests for the correct operation of additional functions. This category can also include too simple passwords and default accounts left unchanged.

According to statistics, vulnerabilities are especially often found in popular and common products - desktop and mobile. operating systems, browsers.

Risks of using vulnerable programs

The programs that contain the largest number of vulnerabilities are installed on almost all computers. On the part of cybercriminals, there is a direct interest in finding such flaws and writing for them.

Since quite a lot of time passes from the moment a vulnerability is discovered to the publication of a fix (patch), there are a fair number of opportunities to infect computer systems through gaps in the security of the program code. In this case, the user only needs to open, for example, a malicious PDF file with an exploit once, after which the attackers will gain access to the data.

In the latter case, infection occurs according to the following algorithm:

  • The user receives e-mail a phishing email from a credible sender.
  • A file with an exploit is attached to the letter.
  • If a user attempts to open a file, the computer becomes infected with a virus, Trojan (encryptor) or other malicious program.
  • Cybercriminals gain unauthorized access to the system.
  • Valuable data is being stolen.

Research conducted various companies(Kaspersky Lab, Positive Technologies) show that vulnerabilities exist in almost any application, including antiviruses. Therefore, the likelihood of installing a software product containing flaws of varying degrees of criticality is very high.

To minimize the number of gaps in software, it is necessary to use SDL (Security Development Lifecycle, secure life cycle development). SDL technology is used to reduce the number of bugs in applications at all stages of their creation and support. So, when designing software Information security specialists and programmers model cyber threats to find vulnerabilities. During programming, automatic tools are included in the process to immediately report potential flaws. Developers strive to significantly limit the functionality available to untrusted users, which helps reduce the attack surface.

To minimize the impact of vulnerabilities and the damage caused by them, you must follow some rules:

  • Promptly install developer-released fixes (patches) for applications or (preferably) enable auto mode updates.
  • If possible, do not install dubious programs whose quality and technical support raise questions.
  • Use special vulnerability scanners or specialized functions of antivirus products that allow you to search for security errors and, if necessary, update software.

On startup smart scanning Avast will check your PC for the following types of problems and then suggest solutions for them.

  • Viruses: files containing malicious code, which may affect the security and performance of your PC.
  • Vulnerable software: Programs that require updating and can be used by attackers to gain access to your system.
  • Browser extensions with a bad reputation: Browser extensions that are usually installed without your knowledge and affect system performance.
  • Weak passwords: Passwords that are used to access more than one online account and can be easily hacked or compromised.
  • Network threats: Vulnerabilities in your network that could allow attacks on your network devices and router.
  • Performance issues: objects ( unnecessary files and applications, problems related to settings) that may interfere with the operation of the PC.
  • Conflicting antiviruses: antivirus programs installed on your PC with Avast. Availability of several antivirus programs slows down your PC and reduces the effectiveness of anti-virus protection.

Note. Certain issues detected by Smart Scan may require a separate license to resolve. Detection of unnecessary problem types can be disabled in .

Solving detected problems

A green check mark next to the scan area indicates that no problems were found with that area. A red cross means the scan has identified one or more related problems.

To view specific details about detected issues, click Solve everything. Smart Scan shows details of each issue and offers the option to fix it immediately by clicking the item Decide, or do it later by clicking Skip this step.

Note. Antivirus scan logs can be seen in scan history, which can be accessed by selecting Protection Antivirus.

Manage Smart Scan Settings

To change Smart Scan settings, select Settings General Smart Scan and specify which of the following problem types you want to smart scan for.

  • Viruses
  • Outdated software
  • Browser add-ons
  • Network threats
  • Compatibility issues
  • Performance issues
  • Weak passwords

By default, all problem types are enabled. To stop checking for a specific issue when running a Smart Scan, click the slider Included next to the problem type so that it changes the state to Turned off.

Click Settings next to the inscription Virus scanning to change scan settings.

Vulnerability management is the identification, assessment, classification and selection of a solution to address vulnerabilities. The foundation of vulnerability management is repositories of information about vulnerabilities, one of which is the “Forward Monitoring” Vulnerability Management System.

Our solution monitors the appearance of information about vulnerabilities in operating systems (Windows, Linux/Unix-based), office and application software, hardware software, and information security tools.

Data sources

The database of the Perspective Monitoring Software Vulnerability Management System is automatically updated from the following sources:

  • Data Bank of Information Security Threats (BIS) FSTEC of Russia.
  • National Vulnerability Database (NVD) NIST.
  • Red Hat Bugzilla.
  • Debian Security Bug Tracker.
  • CentOS Mailing List.

We also use an automated method to update our vulnerability database. We have developed a web crawler and unstructured data parser that every day analyzes more than a hundred different foreign and Russian sources across a number of keywords- groups in social networks, blogs, microblogs, media dedicated to information technology and ensuring information security. If these tools find something that matches the search criteria, the analyst manually checks the information and enters it into the vulnerability database.

Software vulnerability monitoring

Using the Vulnerability Management System, developers can monitor the presence and status of detected vulnerabilities in third-party components of their software.

For example, in Hewlett Packard Enterprise's Secure Software Developer Life Cycle (SSDLC) model, control of third-party libraries is central.

Our system monitors the presence of vulnerabilities in parallel versions/builds of the same software product.

It works like this:

1. The developer provides us with a list of third-party libraries and components that are used in the product.

2. We check daily:

b. whether methods have appeared to eliminate previously discovered vulnerabilities.

3. We notify the developer if the status or scoring of the vulnerability has changed, in accordance with the specified role model. This means that different development teams within the same company will receive alerts and see the vulnerability status only for the product they are working on.

The Vulnerability Management System alert frequency is configurable, but if a vulnerability with a CVSS score greater than 7.5 is detected, developers will receive an immediate alert.

Integration with ViPNet TIAS

The ViPNet Threat Intelligence Analytics System software and hardware system automatically detects computer attacks and identifies incidents based on events received from various sources information security. The main source of events for ViPNet TIAS is ViPNet IDS, which analyzes incoming and outgoing network traffic using the AM Rules decision rule base developed by Perspective Monitoring. Some signatures are written to detect exploitation of vulnerabilities.

If ViPNet TIAS detects an information security incident in which a vulnerability was exploited, then all information related to the vulnerability, including methods for eliminating or compensating for the negative impact, is automatically entered into the incident card from the management system.

The incident management system also helps in the investigation of information security incidents, providing analysts with information about indicators of compromise and potential information infrastructure nodes affected by the incident.

Monitoring the presence of vulnerabilities in information systems

Another scenario for using a vulnerability management system is on-demand scanning.

The customer independently generates, using built-in tools or a script developed by us, a list of what is installed on the node (workstation, server, DBMS, information security software package, network hardware) system and application software and components, transmits this list to the control system and receives a report on detected vulnerabilities and periodic notifications about their status.

Differences between the System and common vulnerability scanners:

  • Does not require installation of monitoring agents on nodes.
  • Does not create a load on the network, since the solution architecture itself does not provide scanning agents and servers.
  • Does not create a load on the equipment, since the list of components is created system commands or a lightweight open source script.
  • Eliminates the possibility of information leakage. “Prospective monitoring” cannot reliably learn anything about the physical and logical location or functional purpose of a node in the information system. The only information that leaves the customer’s controlled perimeter is a txt file with a list software components. This file is checked for content and uploaded to the control system by the customer himself.
  • For the system to work we do not need Accounts on controlled nodes. The information is collected by the site administrator on his own behalf.
  • Secure information exchange via ViPNet VPN, IPsec or https.

Connecting to the Perspective Monitoring vulnerability management service helps the customer fulfill the ANZ.1 requirement “Identification and analysis of vulnerabilities information system and prompt elimination of newly identified vulnerabilities" of FSTEC of Russia orders No. 17 and 21. Our company is a licensee of FSTEC of Russia for activities on technical protection confidential information.

Price

Minimum cost - 25,000 rubles per year for 50 nodes connected to the system if there is a valid contract for connection to

Another way to look at this problem is that companies must react quickly when an application has a vulnerability. This requires the IT department to be able to definitively track installed applications, components and patches using automation and standard tools. There is an industry effort to standardize software tags (19770-2), which are XML files installed with an application, component, and/or patch that identify the installed software, and in the case of a component or patch, which application they are part of. The tags have publisher authority information, version information, a list of files with the file name, a secure hash of the file, and size, which can be used to confirm that the installed application is on the system and that the binaries have not been modified by a third party. These tags are digitally signed by the publisher.

When a vulnerability is known, IT departments can use their asset management software to immediately identify systems with vulnerable software and can take steps to update systems. Tags can be part of a patch or update that can be used to verify that the patch has been installed. This way, IT departments can use resources like the NIST National Vulnerability Database as a means to manage their asset management tools, so that once a vulnerability is submitted to NVD by a company, IT can immediately compare new vulnerabilities with theirs. by now.

There is a group of companies working through an IEEE/ISTO non-profit organization called TagVault.org (www.tagvault.org) with the US government on a standard implementation of ISO 19770-2 that will allow this level of automation. At some point, these tags corresponding to this implementation will likely be mandatory for software sold to the US government at some point in the next couple of years.

So at the end of the day, it's good practice to not post about what apps and specific versions of software you're using, but this can be difficult, as stated earlier. You want to ensure that you have an accurate, up-to-date software inventory, that it is regularly compared against a list of known vulnerabilities such as NVID from NVD, and that IT can take immediate action to remediate the threat. This is along with the latest detection Intrusions, anti-virus scanning and other environment locking methods will at the very least make it very difficult for your environment to be compromised, and if/when it does, it will not be detected for a long period of time.