How it works¶
To be able to detect vulnerabilities, now agents are able to natively collect a list of installed applications, sending it periodically to the manager (where it is stored in local sqlite databases, one per agent). Also, the manager builds a global vulnerabilities database, from publicly available CVE repositories, using it later to cross-correlate this information with the agent’s applications inventory data.
The global vulnerabilities database is created automatically, currently pulling data from the following repositories:
https://canonical.com: Used to pull CVEs for Ubuntu Linux distributions.
https://access.redhat.com: Used to pull CVEs for Red Hat and CentOS Linux distributions.
https://www.debian.org: Used to pull CVEs for Debian Linux distributions.
https://nvd.nist.gov/: Used to pull CVEs from the National Vulnerability Database.
This database can be configured to be updated periodically, ensuring that the solution will check for the very latest CVEs.
Once the global vulnerability database (with the CVEs) is created, the detection process looks for vulnerable packages in the inventory databases (unique per agent). Alerts are generated when a CVE (Common Vulnerabilities and Exposures) affects a package that is known to be installed in one of the monitored servers. A package is labeled as vulnerable when its version is contained within the affected range of a CVE.
Since 3.11.0, the module is able to alert about known Windows vulnerabilities (indexed as CVEs as well) by detecting the installed security updates (hotfixes) of each monitored agent.
Since 3.13.0, the Linux vulnerability engine has been heavely enhanced and optimized, pulling off remarkable detection rates even when compared to enterprise solutions. The inner-workings are quite sophisticated, but they can be summarised in the following steps:
Discards invalid or unused packages (inventory database).
Retrieves all CVEs that affect an installed package (Two rounds: Vendor & NVD feeds).
Discards duplicate vulnerabilities.
Processes the CVEs within a special engine that will correlate between all the sources.
Removes false-positives using different techniques.
Alerts the remaining vulnerabilities.