Frequently asked questions
By focusing on Security Patch Management, we strive to be the best in the industry and always keep our customer feedback a top priority.
General
By scanning for missing security and regular patches, organizations can gain the intelligence needed to eliminate the threat posed by insecure and end-of-life software within the corporate environment.
The vulnerability issue cannot be denied. Every organization has the knowledge that vulnerabilities in the IT infrastructure can be used to compromise security. It represents an extra challenge for the teams responsible for IT.
How can you protect your IT infrastructure more effectively? How can you make sure that computers do not have software installed that lacks the latest security patches? And how can you do this without spending vast amounts of time and effort checking dozens of vendor sites for software updates?
SecTeer VulnDetect is an authenticated internal vulnerability and application scanner, capable of assessing the security status of programs that run on Microsoft Windows, enabling you to fix the vulnerabilities before they are actively exploited.
A vulnerability scanner is a computer program designed to scan for vulnerabilities that are present within your network.
SecTeer was founded in 2017 by its current principals. SecTeer is a privately held, financially stable, and profitable company with a strong track record.
SecTeer VulnDetect is a software solution. An agent is installed locally and has a minimal footprint on the system. The agent installation files are approximately 4MB and use negligible CPU resources and around 4MB of memory when running. At scheduled times, typically once per day, the agent will run a system inspection that temporarily increases the CPU and memory usage. An inspection usually takes only a few seconds.
SecTeer VulnDetect is a proactive solution used in addition to firewalls, IDS and other network security systems. It will help you secure and monitor your network against new threats that are otherwise not monitored.
SecTeer VulnDetect utilizes agent-based scans with minimal resource usage.
The file signatures and software packages used by SecTeer VulnDetect are maintained and updated daily.
Yes. Our internal advisory for the signatures within VulnDetect always includes a link to the CVE reference.
Within your “Hosts” overview you can “move selected hosts to trash” which can be then viewed under “configuration” either to restore or delete the hosts entirely.
Currently, jobs can’t be completely deleted, only stopped. We are considering ways to allow deleting (or automatically hiding old stopped) jobs.
A scan consists of 2 parts; the first part is third-party applications that SecTeer VulnDetect scans for, the second part is matching to the correct updates. Also, you may want to check if the hosts are added to an “approval group”.
A download link is always included to verify the validity of the update.
Only hosts that are in groups are patched. Once a host is in a group, approvals will be automatically created for any discovered software that can be patched.
Approve the recommended version of the software that an approval applies to and all the hosts in that group that have that software installed will be updated automatically.
You can refer to the VulnDetect Setup guide or contact our support personnel for assistance.
The ‘Software Installations’ bar chart and the ‘Vulnerability Status Breakdown’ pie chart show the same information in two different ways.
In the ‘Software Installations’ bar chart, each application is counted in all the relevant bars, i.e. if an application is both Insecure and End-of-Life, it will be counted in both bars.
Each application is counted only once in the ‘Vulnerability Status Breakdown’ pie chart, in the “worst” group that it is part of. If an application is both Insecure and End-of-Life, it is counted in the Insecure pie.
We cover approx. 1000 + applications. Our customers can request software to be added to our database for detection, patching, and deployment. We cover the majority of popular software. There may be less-known software that we don’t detect. This can be requested through support@secteer.com
Customers can suggest new applications to be detected. The applications are reviewed and added if the following criteria are met:
The application must have an EXE, DLL, JAR or similar executable file on the system, which is used for creating a detection rule. Please, provide the name of the primary executable and a link to the vendor or product website when suggesting new apps.
To properly track the security state of the software and be able to recommend the latest and most up-to-date version reliably, it is required that the vendor makes public announcements about releases and security fixes.
A few vendors are very secretive or outright hide such announcements on pages only accessible by customers or partners. Such software is usually flagged as “Untracked”. The state is updated on a “reasonable effort” basis.
For all software with formal announcements, we intend to monitor and review official sources for information upon each new release and will update the status of the software based on publicly available information.
Customers can suggest new applications to be deployable or upgradable via VulnDetect. The applications will be reviewed and tested if the following criteria are met:
The installer must be publicly available from the vendor website or other official distribution site, i.e. the download should not require credentials or license keys.
If the installation or upgrade requires a license key or similar, you may need to provide us with a key while creating and testing the package.
Upgrading the application must be supported by the official installer supplied by the vendor; a few vendors prevent upgrades and only support upgrading via built-in updating mechanisms, e.g. Microsoft Teams and OpenWebStart.
The installation and/or upgrade must be fully silent (i.e. support silent parameters).
If all the above requirements are met, then it is very likely that VulnDetect can support upgrading and installing the application.
It should be noted that requests are prioritized based on prevalence across all customers.
Applications that don’t meet the above criteria may still be supported through the “custom software” feature. If you wish to know more about our “custom software” deployment and update mechanism, please contact your SecTeer account representative.
Yes, see system requirements for more details.
The SecTeer API can enable you to extract the vulnerability scan results and feed the data directly to any tool supporting an API.
You will need to request Support to enable an API key for you.
Yes, Our implementation uses TOTP (RFC 6238) (the Authenticator standard), and is compatible with many popular Authenticator apps.
No, the agent only requires an internet connection to deploy, patch and update the applications.
See system requirements for more details.
Reporting
A weekly report is sent to you, which provides a Dashboard overview with the following information:
Summary of the number of applications which are/have:
# Out-of-Date Approvals
# Groups
# Hosts
# Products
# Versions
# Installations
# 0-Day
# Insecure
# End-of-Life
# Ok
This feature is “coming soon”
SecTeer VulnDetect can generate PDF reports; however, it is possible to extract custom made reports from SecTeer VulnDetect. Use Export to export the data into the Clipboard or into a .CSV file.
There are 2 data types in the dashboard: live data and historical data.
The Vulnerability Status Breakdown, Updates Deployed Automatically, and the Summary show real-time data, while the Software Installations and non-Live Updates under Updates Deployed Automatically (dropdown menu) show historical data.
Historical data is compiled in the backend every 3 hours. The Dashboard page fetches data from the backend every 60 seconds. When the Dashboard page fetches data from the backend, this refreshes the live data and the historical data in the UI. The live data will be up to date at the time it is fetched, while the historical data may be up to 3 hours old.
Technical - General
Using SecTeer VulnDetect, you have access to 2 different scan approaches:
- On-Demand Scanning
From the VulnDetect GUI, you can easily create scan groups manually. The groups can then scan immediately. - VulnDetect Agent – Single Mode
The SecTeer VulnDetect Agent is a standalone executable file that can run as a local service. The agent can be configured to scan the system at regular intervals available under “configuration”.
Yes. SecTeer VulnDetect is designed to deploy standard and security patches that were found missing from the scan results. This integration of SecTeer VulnDetect allows network administrators to easily handle the entire vulnerability management life cycle.
No. SecTeer VulnDetect does not scan removable or network drives such as USB sticks or other types of removable drives.
The number of systems that can be scanned by SecTeer VulnDetect is dependent on the license that you have purchased from SecTeer. If you reach your license limit, deleting old systems from SecTeer VulnDetect will release the corresponding number of licenses. If you need additional licenses, please contact your SecTeer Sales Representative.
Although the login of concurrent sessions is possible, SecTeer VulnDetect is designed to allow only one session per account. If you wish to have several SecTeer VulnDetect accounts, please ask your SecTeer Sales Representative about an additional Admin license.
The SecTeer VulnDetect Agent can be downloaded from your Dashboard under “configuration”.
You can reset your password by clicking on the link below:
https://vulndetect.com/#/forgot-password
If you still encounter issues, please contact support at: support@secteer.com
SecTeer VulnDetect is capable of scanning any Windows system, virtual machine and terminal server.
SUPPORTED MICROSOFT OPERATING SYSTEMS:
Windows 11
Windows 10
Windows 8.1*
Windows 7 SP2 or later*
Windows Server 2022
Windows Server 2019
Windows Server 2016
Windows Server 2012*
*) Due to limitations in the default PowerShell on these Operating Systems, not all packages are supported. Also, these versions are in extended support from Microsoft or will reach End-of-Life soon.
**) PowerShell 5.1 is installed by default on all modern Windows and Windows Server systems.
SUPPORTED BROWSERS (LATEST VERSION FOR VIEWING RESULTS)
Although most modern browsers will work with VulnDetect, the following are officially supported:
Firefox
Google Chrome
Mozilla Firefox
Microsoft Edge (Chromium Based)
Vivaldi
Opera
AGENT-BASED SCANNING, DEPLOYMENT AND PATCHING:
Network/Internet connection (SSL 443/tcp to VulnDetect.com)
Local administrative privileges for Agent deployment to Network
25 MB of free disk space
1GB of free disk space for upgrading software
(To ensure that there is space for the downloaded installers and the unpacked temporary files). Some software may require more space.
FOR CERTIFICATE VERIFICATION, ACCESS TO THE FOLLOWING ADDRESSES IS REQUIRED:
r3.o.lencr.org
r3.i.lencr.org
THE ADDRESSES OF SECTEER SERVICES ARE:
https://*.vulndetect.com/
The above should be whitelisted in the Firewall/Proxy configuration.
By using the Suggest Software feature available in SecTeer VulnDetect, you can quickly request SecTeer to start monitoring the missing software. Requests from our customers are highly appreciated and will be promptly addressed.
Yes, you can request this through your account or by sending the request to support@secteer.com. We will then assess your request and if applicable, add the package and support the software in the future.
Yes. All the communication between the SecTeer VulnDetect Agent or the SecTeer VulnDetect Graphical User Interface and SecTeer is made through port 443, and by using SSL protocol with 256-bit encryption.
No. Due to its lightweight design, SecTeer VulnDetect is able to run in the most common Windows systems. For more detailed information, please refer to the system requirements for running the SecTeer VulnDetect Centralised Dashboard.
Yes, all our packages rely on PowerShell 5.1, the default version on Windows 10 and Windows 11 and modern Windows Server releases. Our PowerShell scripts are digitally signed.
The package scripts download the installers via https / port 443 from our CDN / proxy hosts stream.vulndetect.com.
This allows you to proxy and locally cache the updates, depending on the capabilities of your proxy.
The package scripts always attempts a Windows Background Intelligent Transfer Service (BITS) first. If BITS is enabled and configured correctly, it will cache the installers on the local network. Please refer to the appropriate Windows documentation for more details.
The VulnDetect TSPM packages are all PowerShell scripts.
These scripts are all signed, and we recommend whitelisting/allowing all scripts that are signed by SecTeer VulnDetect.
If your security solution doesn’t support this, you may be able to whitelist certain locations:
C:\Programs Files (x86)\SecTeer VulnDetect\
C:\ProgramData\SecTeer VulnDetect\
C:\Users\<username>\AppData\Local\SecTeer VulnDetect\
The user path is based on Env:\LOCALAPPDATA, so it may differ from system to system though this is rare.
Note that scripts running in Program Files and ProgramData all run as SYSTEM.
Scripts running in the user’s folder always run with the users’ privileges, as reported by the operating system.
Most tasks are launched via the Windows Task Scheduler; however, some may be initiated directly via the agent.
A few older packages are based on chocolatey. These always run in the SYSTEM context and can be found in:
C:\ProgramData\chocolatey\
Chocolatey packages are NOT signed. We are working on transitioning the last handful of packages to TSPM.
The most likely explanation is that an antivirus program uploaded the secteerSetup.msi file and a researcher at that antivirus company installed the program. You can safely delete the agent in the interface. It’s important to note that the MSI file you have received is keyed to your account, so anyone who receives it can run it, and the resulting agent will also be keyed to your account. There is no security issue here because the agent doesn’t receive any significant information from the server.
The packages from VulnDetect are compiled and tested in Denmark, which is part of the EU.
We create a package which downloads the installer directly from the vendor (or in a few cases our archive). All downloads are checked using a sha256 checksum which we embed in the package.
We always verify the digital signature.
To the extent possible, the sha256 sum which we embed in the package is calculated based on installers downloaded via https from official sources, and we verify the Authenticode signature of the installer when available. In rare cases where one or both https and Authenticode isn’t possible, the file will be vetted using other mechanisms such as VirusTotal, GPG, or other hash/checksum sources.
Our agent downloads the package (PowerShell script) from our server via HTTPS and verifies that the retrieval was conducted through our server.
When the agent is successfully installed, a unique auth-token is added to the registry. This auth-token is associated with the supplied email and used to identify the agent when it communicates with the SecTeer VulnDetect backend servers. The auth-token will remain until the agent is uninstalled. Upgrading will always preserve the existing auth-token. In order to get a new auth-token, and associate the agent with a different account, the agent must be manually uninstalled, and then the admin can deploy the MSI, which will create a new auth-token that is associated with the correct account.
Yes, that is possible by going to Groups -> Edit Selected Group -> Custom Inspect & Update Schedule
In some cases, due to the update requiring a restart, we specify that the app requires an “app restart” under “Patching activity.”
We are also looking into ways to alert the user to restart the system or force restart at a certain point. Please contact your account manager to discuss future feature implementations.
We strive to provide accurate and useful information about the current state of each product, e.g., if it is “OK” or “Insecure” and what type of update we are dealing with, i.e., “Plain/Bugfix Update” or “Security Update”. Unfortunately, not all vendors provide this information, although other parties may have published security information at some point in the past.
Therefore “Untracked” doesn’t mean that we don’t detect the application. It means based on our in-house research, the security and release information from the vendor is not considered reliable.
In general, all beta/alpha/insiders/canary/nightly and other pre-release channels for software is considered *Untracked* as most vendors don’t provide information for this kind of release.
We support a particular setting, ensuring that updates are distributed over a specific time interval. The default is a 4.5-hour window, during which all agents will conduct scheduled inspections also will run the “approved” update tasks. This window can be slightly expanded but ensures the evenest distribution should be aligned with the most common work hours.
Yes, VulnDetect uses BITS (Background Intelligent Transfer Service) from Microsoft allows system administrators to download packages/updates with little impact on the network traffic and bandwidth.
VulnDetect can support an unlimited number of hosts through the multi-site and single-site structure.
VulnDetect offers the option ‘Automatically group new hosts based on their Active Directory groups.’ which will mirror the pre-configured groups present on customers AD.
The option is only available to System Administrators. To group existing hosts you will have to make a request to support@secteer.com
The difference between Hidden and Dormant hosts, is that Hidden is based on a admin action, whereas Dormant is 100% automated. This also means that a Dormant host that becomes active, will be revived automatically, whereas a Hidden host requires an admin action.
All hosts will stop counting license wise after 45 days, if they are inactive.
When an agent is installed on a host, it generates a unique token and saves it in the Windows Registry on that host.
That unique token identifies that host to SecTeer VulnDetect.
When the agent is upgraded, it preserves the unique token and thus preserves its identity.
When an agent is uninstalled, the unique token is deleted from the Windows Registry and cannot be recovered.
If the agent is installed again on that host, it generates a new unique token and a new identity.
This shows up on the Hosts page as multiple instances of the same host.
All results are counted for all the duplicate hosts while they are present on the Hosts page.
The redundant duplicates can safely be moved to the Trash in the Hosts page, deleted in the Configuration page, or automatically transferred to the “dormant host page” after 8 days of inactivity.
As soon as they are moved to the Trash or dormant hosts, the application data from those hosts are no longer counted in any results.
Yes.
For this to work, the MSI needs to be run with the following options:
msiexec.exe /quiet /i secteerSetup.msi WRAPPED_ARGUMENTS=”/options=group=groupname”
groupname must be replaced with the group’s full name in VulnDetect.
If the group name has spaces, then the options we recommend are the following:
msiexec.exe /quiet /i secteerSetup.msi WRAPPED_ARGUMENTS=”/options=group=””group name with spaces”””
Those are regular double quotes, first 1, then 2, and then 3 at the end.
Also, note that the agent will remain ungrouped if the named group does not exist.
Yes, you can request this through your account or send the request to support@secteer.com. We assess your request and, if applicable, add the package and support the software in the future.
We only download installers from official sources and verify the Authenticode Signature.
Software like Mozilla Firefox is verified based on the official GPG signed SHA256SUM lists.
However, for a few applications, like 7-Zip which aren‘t signed, we rely on services like VirusTotal and Jotti.org.
We also deploy such apps to a few test systems which run up-to-date anti-malware / endpoint protection software, before approving it for customers.
This is also the primary reason why there is certain proprietary software we don‘t support, when the official installers aren‘t publicly available from official sources.
Before running any installer that is downloaded via our proxy / CDN, the SHA256SUM of the file is checked against the entry we have stored in our database, both to prevent Man-in-the-Middle attacks as well as avoiding to execute a corrupted installer due to network issues.
Yes, in most cases this will not be an issue. However, you should ensure that the applicability rules for packages applied via other means accept newer versions of the applications, so the applications aren’t downgraded by your deployment tool.
Customer data is stored in SQL databases. We operate with an individual database per customer. This guarantees against data leaks and allows us to easily scale our setup, by e.g. distributing individual customers to different hardware instances. It also allows us to easily purge customer data, if or when a contract is cancelled.
1) Set a string value in the registry, under HKLM\Software\WOW6432Node\SecTeer\Agent
2) The value name is overrideGroup, the value itself is the name of the group that the agent should be in
3) The agent service must be restarted for the agent to read the value and submit it to the backend
4) The backend looks up the group by name, case-insensitive, and if found, it moves the agent to that group
If no group is found with the given name, then the setting has no effect
If multiple groups are found that match the name, then one will be chosen. Which group is chosen is arbitrary, but consistent (it is the first one, ordered by their uuid)
5) The overrideGroup setting persists in the registry, so if the agent is later manually moved to a different group, then it will revert back to the overrideGroup the next time the agent service starts, unless the registry setting is cleared. This will be altered in a future agent release, so that the agent itself will clear the setting, after sending it to the backend.
Do let us know if you have further questions or experience issues. Bare in mind, that this is a new feature, currently only used by one other customer.
The Windows Updates page only shows the updates that are available and not yet applied.
The Windows Update Approvals page show some of the recently applied updates, but those covered in cumulative updates or other major updates of the OS seems to be hidden by the WU API, because these larger updates already include the smaller more specific updates. The data shown is based on the Windows Update API and should closely reflect what you see in the local UI of the Host.
So the Windows Updates page shows the current status of windows updates across the environment, while the Windows Update Approvals gives the user options to apply or block updates.
The Windows Update feature pulls available updates via the currently configured Windows Update service, this means that it will query your WSUS if this is configured.
If WSUS isn‘t updated with the most recent updates, these will not be visible in VulnDetect. In short, it will use the configured Windows Update on the host, if that is WSUS, then we query WSUS, if not, then it will typically be the public one.
Drivers are supported via Windows Update, to the extent that the drivers are available via the Windows Update (server) endpoint that is configured on the host.
You can send your question directly to support@secteer.com, and a solution specialist will be assigned to you and assist with your query.
