Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Overview

Database(s) are syncing at least once every 24 hours at a minimum

To be able to detect vulnerabilities, agents collect a list of installed applications and send it anonymously to the central server.

The central server is a global vulnerability database from publicly available CVE repositories. Later, it is used to cross-correlate this information with the agent’s application inventory data.

The global vulnerability database is created automatically, currently pulling data from the following repositories:

Once the global vulnerability database (with the CVEs) is created, the detection process looks for vulnerable packages in the inventory databases (unique per agent).

Alerts are generated when a CVE (Common Vulnerabilities and Exposures) affects a package known to be installed in one of the monitored servers.

A package is labeled as vulnerable when its version is contained within the affected range of a CVE. The results are presented as provided in the instance with the remediations.

You can check the last sync time of vulnerability feeds from the ConnectSecure portal by tapping your avatar icon and then choosing the Vuls Feed Info option.

image-20240906-152753.pngimage-20240906-152826.png

Windows Vulnerability Check

  • Get the list of cumulative updates and key file versions on the system using OSQuery

  • Send this to the central server

  • The central server checks hot fixes against DB that has been curated

  • It finds missing hotfixes and security updates

  • It finds all vulnerabilities tagged as fixed in those versions

  • For each application, the application is marked as Microsoft or Non-Microsoft. If Microsoft, then we have a DB of all application versions and the Patch-associated

  • For Microsoft applications, we run a query for the highest version of patched files and then reverse lookup to see which patch it belongs to. We then determine what patches are missing and then reverse lookup vulnerabilities fixed by those versions to display the vulnerabilities

  • For Non Microsoft Applications, we convert the app name into the CPE as defined in https://nvd.nist.gov/products/cpe

  • Once we determine the CPE, we then fetch CVEs by CPE

  • We then lookup the version constraints and based on that information, get the CVEs for the application

  • The fixed version is then picked up by querying our patching repo to find the latest version released and provide that as a remediation

  • No labels