[unisog] Commercial Vulnerability scanners?

Gary Flynn flynngn at jmu.edu
Tue Feb 18 12:37:05 GMT 2003

Christian Wilson wrote:

>We have about 17000 computers on our network, and address vulnerability
>management by using a combination of Nessus and other custom written tools.
>I was wondering whether others are using any of the comercial scanners out
>there in the University environment, and if so what, and are they any good :)

We've been using ISS Internet Scanner here for several years. It was 
selected after all the
products available at the time were evaluated. The second choice at the 
time was SARA.

At the time of the evaluation, ISS detected several intentionally 
introduced vulnerabilities
that were important in our environment that Nessus missed. There was 
also no comparison
in reporting and integration capabilities in my opinion. Because the 
results are held in an
Access database and because the scanner is controllable through the 
command line, with
a little bit of SQL and scripting you can do just about anything you 
want. I don't care much
for either the canned reports or using Crystal Reports to generate new 

My main complaints with the ISS scanner are the black box approach to 
the vulnerability
tests and the need to have Windows Administrator access for many of the 
tests. Without
knowing what the tests are doing, it it difficult to sort out false 
positives or have confidence
in the results. This, of course, is a business decision to protect their 
R&D in vulnerability
tests but it makes the product less useful than more open products. I 
also believe that the
ability to create user tests is limited. On the other hand, many Windows 
and policies cannot be determined by a network scan without either 
logging in or
having a remote agent so in environments where providing Administrator 
access can be
accomplished, some significant data can be collected.

I liked the SARA scanner because all the test scripts were in Perl and 
it allowed me to
inspect and fine tune them as desired for our environment. At the time, 
it detected more
vulnerabilites that I was interested in than other non-commercial scanners.

After watching Nessus develop over the past couple years I suspect the 
choice would be
different today.

I'd recommend that you contact a sales person and get a working copy of 
ISS or
any other commercial scanner you are contemplating and perform your own 
in your environment. You can download a working copy of ISS Internet Scanner
from their site but it will only scan itself without a license key.

More information about the unisog mailing list