In order to demonstrate the MaxPatrol advantage, we would like to use two different approaches in assessing vulnerability detection quality.

First, we will list the three main types of vulnerabilities, classified by source:

Second, we will analyze the entire process of vulnerability detection by breaking it down into individual stages:

All the vulnerabilities discussed in this section have been published on specialized news channels. Sources of information are software developers, independent experts, and ambitious hackers.

We would like to assume that any self-respecting security scanner includes a complete database of published vulnerabilities, with regular updates. This is a necessary feature, but it is not enough, for one simple reason: there are two other sources of vulnerabilities presenting a threat to information security that is every bit as serious.

Another issue to consider is the way vulnerabilities in the database are verified, which leads to two questions: 1) How do we know for sure which software version is referred to in the database, and 2) How can we find out without a doubt whether a particular vulnerability has been corrected using a patch? Regarding these questions, we cannot rely on the banners the different services use to provide information about themselves. We need a more reliable mechanism for detecting software versions. This is what MaxPatrol can do for you. Wherever possible, it also conducts a direct vulnerability check by simulating an attack and analyzing system response. This is the most reliable method, but because it is not entirely safe, you may wish to disable this feature using program settings.

We should also mention that any vulnerabilities database is incomplete by definition. As long as we continue to discover new vulnerabilities regularly in existing software, we cannot be confident that we are protected from outside attacks that may utilize as yet unpublished vulnerabilities. For this reason, it is a very good thing to have the capability of detecting "unknown" vulnerabilities at one's disposal. MaxPatrol has the intellectual ability to model probable attacks "on-the-fly," based on the configuration of the system being scanned. It is often successful (see EXAMPLE #3).

No one can predict these vulnerabilities. They appear when software deviates from its ideal configuration. This can occur due to error, lack of activities coordination, insufficient personnel training, and so on. The more "exhaustive" and "cunning" the scanner's software-configuration check, the more reliable its diagnosis of vulnerabilities.

MaxPatrol accomplishes this task as thoroughly as possible, and within reasonable periods of time (certain modes may require additional time, but provide more depth of reporting). EXAMPLE #4 offers a simple, yet topical scenario.

As you may have guessed, there is a great deal of variation among vulnerabilities. Fortunately, many of them (including those used most frequently by ill-wishers) fit certain classifications. Attacks are usually carried out through scripts hosted at web servers. MaxPatrol searches for several types of vulnerabilities, among which the most widespread are SQL-injections and code-injections. It should be noted that in each specific case, MaxPatrol models and analyzes only those attacks that apply to the node being tested. Statistics show that MaxPatrol detects injections of one kind or another in half the online databases currently published on the Internet.

MaxPatrol's ability to analyze Internet sites thoroughly enables its widespread use in automated express-penetration tests. On a price/value basis, this alternative makes much greater economic sense than contracting out to a consultant.

This is the simplest stage in scanning, and there would seem to be nothing to discuss. But that is not the case.

Suffice it to say that the possible range of port numbers is 65,000 for TCP ports, and the same number for UDP's. Of course, MaxPatrol does include a mode that tests all ports, without exception, but that requires a lot of time, and cannot be used in every situation. The problem is to determine an optimal list of ports that should be tested every time. MaxPatrol offers two possibilities for resolving it:

In this stage of scanning, the program detects which services are operating at which ports. Accuracy in this stage is of utmost importance because the vulnerabilities diagnostics performed in the next stage are based on this information. Detection of port number 110 does not mean that the program should immediately start checking for vulnerabilities in POP3 service (even if the service responds with a banner stating the presence of a POP3 service). To ensure overall accuracy in scanning results, it is crucial to detect not just the service type, but its version, as well. In addition, detection should not be based on direct responses from services because service banners are often falsified for security purposes in an attempt to foil hackers.

This problem turns out to be rather complex. In fact, it has yet to be resolved with 100% accuracy. MaxPatrol approaches an optimal solution through the use of a series of special mechanisms:

The last scanning stage generates the scanner's final result. The quality of the report depends both on the preceding stages' work, and on the methods of vulnerability detection employed.

Because we have already had some discussion of vulnerability detection (section 1) and to avoid getting lost in the details, let's just have a short review of the basic methods used in vulnerability detection and of the types of vulnerabilities found, which is important in this stage of MaxPatrol's operation: