The Secunia Corporate Software Inspector (CSI) is an authenticated internal vulnerability scanner, capable of assessing the security state of practically all programs that run on Microsoft Windows PC's and enabling you to fix the vulnerabilities before they are actively exploited.
A vulnerability scanner is a computer program designed to scan for vulnerabilities that are present within your network.
Secunia was founded in 2002 by its current principals. Secunia is a privately held, financially strong, and profitable company with a strong track record. Today the Secunia community includes leading security experts, system and network administrators, and our own website is visited by more than 5 million unique visitors annually. The Secunia CSI has been a leading vulnerability scanner for the Windows environment since the beginning of 2008.
The Secunia CSI is a software that has appliance functionality if needed. The agent can be installed in an appliance mode and do remote scans of hosts.
The Secunia CSI is a proactive solution that can be used in addition to firewalls, IDS and other network security systems. It will help you secure and monitor your network against new threats that otherwise are not monitored.
The Secunia CSI can be designed to use either remote scans or agent based scans.
The Secunia CSI file signatures is updated and maintained on a daily base.
Yes. In each advisory presented within the Secunia CSI there will always be a link to the CVE reference.
The Secunia CSI is used across multiple segments, including the Fortune 1000, small to medium businesses, consultants and managed service providers. Regardless of the environment, the scaleable, secure end-to-end solution is unchanged.
If you wish to evaluate the Secunia CSI, please complete and submit the appropriate form, available by clicking on Request a free trial of the Secunia CSI in the product page.
Please login to the product and go to Support/Contact Information to find the details.
Those can be found here.
The Secunia CSI supports the following OS: Microsoft Windows XP, 2003, 2008, Vista, and Windows 7.
Once the Secunia CSI download has completed, start the installer and then start the product. Provide your user name and password that was given by your Secunia representative. When the installation is complete you can start configuring your scans.
Depending on hardware and size of the local disk it varies but usually between one to three minutes if using scan type 2 (all local paths).
The Secunia CSI is a light weight non intrusive scanner that has been optimised to give minimum footprint on network utilisation. With guidance from a Secunia Solution Specialist each customer will be trained in how to optimise the scan process according to their network design and capability.
Read the system requirements: http://secunia.com/vulnerability_scanning/corporate/system_requirements/
The Secunia CSI is already configured to start automatically.
Place the mouse over the username in the bottom of the Secunia CSI user interface.
By contacting your Secunia representative.
The Secunia CSI is compatible with any type of security software.
The Secunia CSI is compatible with any type of security software.
An update of the signature files is always conducted as soon as the Secunia CSI starts a scan. If there is a error in fetching the latest signature files you will be prompted with information about this.
The Secunia CSI scans for third party applications and Microsoft software to the Windows platforms.
Download the agent from with in your Secunia CSI console (availble from the 'Download Agent' -menu).
The Secunia CSI Agent is a small, simple, customisable, and extremely powerful CSI scan engine, that offers a fully featured command line interface (CLI) to the CSI scanning functionality. This allows you to run CSI scans directly on the command line or to embed the Agent in a customised script. Write "csia.exe -h" for a full list of arguments supported by the CSI Agent
The most common way to use the agent is in Single Host Mode.
Single Host Mode (Install the agent as a local service): csia.exe -i -L
Read more about the agent and other options how to use the agent in the Setup and usage guide.
NOTE: The "csia.exe" file is a customised executable, unique and private for your account. This means that the CSI Agent automatically links scans to your Secunia CSI account, without you performing any extra actions.
Only local hard drives will be scanned for software vulnerabilities.
The Secunia CSI is updated with new supported, detected, and analyzed vendors on a daily basis. The file signature database consist of more then 3000 vendors.
Since the scan process works by looking at the actual files on the system scanned, the result is extremely reliable as a program obviously cannot be installed on a system without the actual files being present. This in turn means that the Secunia CSI rarely identifies false-positives and thus the result from the Secunia CSI can be used immediately without doing additional data/results mining.
All scans that is conducted is done using credentials that has local admin right to the target machine.
You can generate reports that includes Executive summary, Site statistics, Product level and Host level report. Each report will have detailed information about the security level and provide you with verified and accurate intelligence.
Yes. Selected personnel can be added to receive a change summary that shows the changes in the network on a daily or weekly basis.
The Secunia CSI can generate PDF reports, however it is possible to extract custom made reports from the Secunia CSI. See: Is it possible to extract custom made reports from Secunia CSI?
The Secunia CSI builds the criticality rating on the CVSS version 2 scoring algorithms.
It is possible to pull custom data and reports from the local Secunia CSI database, containing the scan results generated by your Secunia CSI setup.
The local database is in SQLite, you can download a free SQLite console from SQLite.org (or use your favourite sqlite tool). This allows you to connect to the actual database file and run queries directly against the results.
After downloading the console, you need to locate the database file. The database file is placed in the %APPDATA%\Secunia CSI folder of the user running the CSI. The largest file with a random name in this folder should be your local database.
The following scenario is just one example how to use the local database of Secunia CSI, but can of course be customised to meet other needs.
First download and unzip the 'sqlite' console from sqlite.org
If 'sqlite3.exe' is placed on your desktop, the following command should work on a Windows XP system.
Yes. The Secunia CSI provides links to security patched from each scan results to help network administrators remedy vulnerabilities.
No. The Secunia CSI does not scan removable or network drives, such as - USB sticks or other type of removable drives.
The number of systems that can be scanned by the Secunia CSI is dependent on the license that you have purchased from Secunia. If you reach your license limit, deleting old systems from the Secunia CSI will release the corresponding number of licenses. If you need additional licenses, please contact your Secunia Sales Representative.
Although login of concurrent sessions is possible, the Secunia CSI is designed to allow only one session per account. If a concurrent session from the same account is verified, the Secunia CSI will redirect the user to the account information section.
If you wish to have several Secunia CSI accounts, please ask your Secunia Sales Representative about the Secunia CSI User Management add-on.
It should be taken into consideration that in order to perform remote scans, the target systems must have the right services and ports enabled. Please refer to the system requirements for Agent-less scans.
The Secunia CSI Graphical User Interface can be downloaded from the Secunia website.
Configure your Password Recovery Settings then you are able to request a new password that will be delivered by e-mail and mobile message.
The Secunia CSI is designed for Microsoft Windows operating systems only.
By using the Suggest Software feature available on your Secunia CSI, you can easily request Secunia to start monitoring the missing software. Requests from our customers are highly appreciated and will be promptly addressed.
In the Internet Options (Control Panel or under Internet Explorer/Tools), verify that https://csi.secunia.com is present in the Trusted sites. If not, please add it.
If your network connection passes through a proxy that needs authentication, please open a command prompt window, go to the path where the Secunia CSI is installed, and launch Secunia CSI with the following command:
csi.exe -x proxy:port
If you also need to specify the proxy authentication, launch Secunia CSI with the following command:
csi.exe -x proxy:port -U username:password
In order to get a more verbose error message, start Secunia CSI from the command prompt with logging options.
csi.exe -d debugfile.txt -v
the logging can also be combined with other options, like this:
csi.exe -x proxy:port -U username:password -d debugfile.txt -v
Yes. All the communication between the Secunia CSI Agent or the Secuina CSI Graphical User Interface and Secunia is made through port 443, and by using SSL protocol with 256 bit encryption.
The Secunia CSI is designed to use the built-in Windows Update Agent so that it can check for missing patches from Microsoft. If you have a WSUS server in your network, the Secunia CSI will adapt and retrieve the OS results based on the internal WSUS.
Exit the Secunia CSI, make sure the solution is not running in the background. Open the registry editor, go to:
HKEY_CURRENT_USER → Software → Secunia → Delete the Secunia CSI folder.
Launch the Secunia CSI solution again and you will be prompted for login credentials.
No. Due to its lightweight design, the Secunia CSI is able to run in the most common Windows systems. For more detailed information, please refer to the system requirements for running the Secunia CSI Centralised Dashboard.
Please login to the Secunia CSI and go to Support -> Contact Information to reach the Secunia Customer Support Center.
In the Secunia CSI user interface go to: Patch/Configuration, enter the WSUS server name and port. Then press save and connect. If it is the first time you connect, a wizard will guide you through the steps needed to create certificates and the GPO settings that enable deployment of 3rd party patches.
A WSUS server needs to be installed on the network. The following requirements need to be in place on the computer that is running the Secunia CSI User Interface:
Yes, WSUS is a no-cost download from Microsoft. However, you must have a valid Windows Server 2003 or 2008 license for the WSUS server itself, as well as Windows Client Access Licenses (CALs) for each machine updated by WSUS. Be sure to discuss your unique licensing needs with a Microsoft Partner or your Microsoft Account Representative.
Run this command from a command prompt:
A Secunia CSI wizard will automatically implement the GPO settings, including certificate distribution necessary to deploy 3rd party applications. Go to the Secunia CSI/Patch/Configuration to enable the wizard.If you want to do this manually the settings needed is the following:
IMPORTANT! On Windows Vista, 7, 2008 you must run Secunia CSI as an administrator (right-click and select “Run as administrator”) when pushing out the certificates.
In the Secunia CSI menu, go to Patch>Deployment>right-click one or several hosts, and select “Verify and Install Certificate”.
IMPORTANT! On Windows Vista, 7, 2008 you must run the Secunia CSI as an administrator (right-click and select “Run as administrator”) when pushing out the certificates.
If you do not want to use the Secunia CSI wizard, you can export the Certificate from the WSUS Server and import it to the target hosts either manually or through a GPO.
If you cannot find “Trusted Publishers” on the Windows 2003 server. please do the following:
By default the Remote Registry Service is turned off in Windows Vista and Windows 7. Make sure the Remote Registry Service is started. This can also be done using GPO.
Install the latest Microsoft Update for Root Certificates (KB931125)available in here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=19c4ae49-1127-4537-9e91-35f81d20bce6
Run the Secunia CSI after installation (you may need to reboot you PC after the installation).
1. Make sure you run the Secunia CSI as an administrator (right click select 'Run as administrator')
2. Make sure the WSUS installer (administration console only) is installed http://www.microsoft.com/downloads/details.aspx?FamilyId=a206ae20-2695-436c-9578-3403a7d46e40&displaylg=en
Verify the GPO setting 'Windows Updates/Allow signed updates from an intranet Microsoft update service location' is enabled. In addition, also verify the following on the local host:
Check the registry on the client computer:
Check that the key AcceptTrustedPublisherCerts is set to 1 (if not,change it to 1)
Perform these commands, and try again.
Net stop wuauserv
Net start wuauserv
Add https://csi.secunia.com to trusted sites in (Internet Options>Security>Trusted sites). On Windows 7, Vista, 2008 you need to run Internet Explorer as an administrator (Right click and select Run as administrator), then go to Tools>Internet Options>Security>Trusted sites and add https://csi.secunia.com
Make sure encrypted pages may be saved on disk.
Internet Options → Advanced → Scroll to Security → Uncheck 'Do not save encrypted pages to disk'.
If you cannot print then please verify that:
Go to Internet Options → Advanced → Browsing → Check the check box that corresponds to Disable script Debugging (Internet Explorer) and Disable Script Debugging (Other).
Login and go to Configuration/Settings and check the checkbox 'Enable logging'. If you want to start the Secunia CSI in debug-mode, start it from the command prompt with the following command:
csi.exe -d debugfile.txt -v
Make sure the WSUS server and the WSUS administrative console have the same version, or at least match so there is no conflict.
The Secunia CSI does not recognize what language version that is installed. In cases where the Vendor provides different installations based on the language we link to the main download page so that the customer can choose for themselves what language they are using.
Make sure that you downloaded the CSI Setup file and stored it locally on your system before installing it. If it still gives you this error message, then clear the "Temporary Internet" files for your browser, download the setup file again, and restart the installation process.
The Secunia CSI Agent service will not work when installed into %SystemRoot%\system32 on a 64 bit system. Although the agent may appear to be correctly installed, it will fail to start. Install the agent in a 32bit compliant directory, and the service will start properly.
Because the configuration is stored in the users HKEY_CURRENT_USER\Software\Secunia\csia and that registry hive is not available during the installation of the agent, the installation should be done with the runas.exe thus making sure the registry hive is loaded:
runas /user:firstname.lastname@example.org "csia -A -i -R email@example.com"
You need to connect to the main WSUS server, however all replicant servers need to have the signing certificates.
To view the "Trusted publisher" folder do the following:
Yes it is possible, use the "Import Signing Certificate" function in the Secunia CSI (Available under Patch/Configuration). Note that you need to set up the WSUS to use SSL connection.
If you're using Microsoft SCCM, the package created and published with the Secunia CSI will be available in your SCCM console, so it can be managed just like any other update. The package will be available under Computer Management/Software Updates/Update Repository/Security Updates/Vendor, also including the criticality of the vulnerability addressed by that specific update.
Not a customer already?