Vulnerabilities such as MS15-034 are big deal for information security specialists who have to keep up with the critical security patches on high pressure business environments. In one hand they know that the cat is out of bag and they have to find out their vulnerable servers, however, on the other hand they can't find an early reliable scanner to find out what are those. Plus, in some of the environments it's not at their leisure to perform non-planned mass scans.
While the scans are executed and imported, NormShield also gathers version information of assets as CPEs. NormShield also periodically gathers vulnerability and exploits information from sources like NVD as CVEs and ExploitDB as exploit ids. These CPEs, CVEs and other exploit information are then related to each other, therefore, NormShield can passively find possible vulnerabilities in products that assets are using. The more granular the version information NormShield gathers the sharper vulnerability matching gets.
Figure 1 shows Passive Scan tab under an asset panoramic view explained in Asset Panorama. The system matches the CPEs gathered with the CVEs and logs the matches.
Alarms are produced in two cases;
- A new CPE with existing CVE matches is found for an asset
- A new CVE is published for existing CPE(s) of an asset
Figure 1 - Passive vulnerability scan sub interface under Asset panoramic view
Since products, their versions are determined through automatic scans there’s always possibility that they may be wrong or inconsistent. Because of this, users can also add their products manually using the Search Product and Add Product operations. Plus, users can also delete the wrong ones with the Delete icon next to the each product row.