Category Archives: Productology

Microsoft Defender for Endpoint: The Latest Versions of Antivirus Engine & Signatures

In a previous episode on Microsoft Defender for Endpoint, I described how to get a list of antivirus engine and signatures versions for the hosts in your infrastructure using the Microsoft Graph API. But the problem remains. You know the versions that are currently installed on the hosts. But where can you get the latest versions that should be installed there?

I haven’t found any pretty solution for this. I parse public html pages on the Microsoft site I’ll show you how I do it. If you know something better, please write in the comments.

Continue reading

How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API

Hello everyone! In this episode, I would like to tell you how I tried to get automatically antivirus-related data (current status, engine and signature version, last full scan date) from Microsoft Defender for Endpoint using Microsoft Intune and the Graph API.

Why is this necessary?

You might assume that if the Defender for Endpoint agent is installed on the host, everything should be fine automatically. But in fact, the antivirus engine and signature versions may be outdated, real-time protection may be disabled. And so all this needs to be monitored.

Grapf API

This will be the third episode about Microsoft Enterprise Security APIs. The first was about Defender and Defender API, the second was about Intune and the Intune API. And today I’m going to talk about the Grapf API, which should probably replace all the other APIs and should be more logical and easier. Although in my opinion it is even strangier and poorly documented. I didn’t like it.

Continue reading

How to fix “Nessus failed to load the SSH private key” error?

If you are using Nessus to scan Linux hosts and authenticate by key, you may encounter this problem.

You have generated the keys correctly, placed the public key on a remote server. You can connect to this server using the private key.

ssh -p22 -i private_key user@server.corporation.com

But when scanning with Nessus, you get weird errors in the various plugin outputs:

  • Target Credential Status by Authentication Protocol – Failure for Provided Credentials
  • Nessus failed to load the SSH private key. Is the associated passphrase correct?
  • Failed to parse the given key information.
  • Unable to login to remote host with supplied credential sets.
Continue reading

My thoughts on the “2021 Gartner Market Guide for Vulnerability Assessment”. What about the quality?

The Gartner Vulnerability Management Reports are one of the few marketing reports that I try to read regularly. This started back in the days when I was working for a VM vendor doing competitive analysis. Gartner is one of the few organizations that think about Vulnerability Assessment and Vulnerability Management and clearly articulate where we are and where we are going.

I got a free reprint of “2021 Gartner Market Guide for Vulnerability Assessment” from the Tenable website. Thanks a lot to them for that.

Let’s start with what I liked:

  1. It’s great that Gartner has made vulnerability prioritization technology (VPT) a separate class of solutions, that do not detect vulnerabilities themselves, but work with them. For example, Kenna or my Vulristics. And it could be additional functionality like Tenable VPR.
  2. I liked the focus on EDR as a promising VM replacement. Especially, Microsoft solutions (Defender for Endpoint or as was mentioned in the report Microsoft’s Threat & Vulnerability Management, TVM).
  3. It’s nice that various areas related to Vulnerability Management have been mentioned: Pentest, Bug Bounty, Breach and Attack Simulation (BAS).
  4. An interesting diagram that shows that VA is primarily about “Assess” and “Asset Management”, VPT is primarily about “Prioritize” and “Workflow Management”, BAS is primarily about “Compensate” and “Security Controls”.

Now what I didn’t like. I have one pain point – the quality of the scanning. And here, on the one hand, something was said, but on the other, it was not enough and not as definite as I would like. Market Direction is the most interesting section of the document. And it was the most painful to read.

Continue reading

Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers

Hello guys! The third episode of Last Week’s Security news, July 5 – July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya.

The updates for PrintNightmare (CVE-2021-34527) were finally released mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these patches can be bypassed. “If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft’s patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE”. Microsoft has updated their security update guide after that: “if you set this reg key to = 1 then the system is vulnerable by design”. It seems that solving this problem requires hardening and registry monitoring.

Continue reading

Vulristics HTML Report Update: Table for Products, Table for Vuln. Types and “Prevalence”

Hi guys! I was on vacation this week. So I had time to work on my Vulristics project. For those who don’t know, this is a framework for prioritizing known CVE vulnerabilities. I was mainly grooming the HTML report.

I added a logo at the top, set a max width for the report, added a timestamp when the report was created so you can now see how fresh it is. I have combined CVSS and Vulristics score statistics in two parallel columns.

But the main new feature is the tables of vulnerable products and types of vulnerabilities. The products are sorted by “prevalence”. You can review this list and ask yourself if this order is correct in your opinion or change the “prevalence” values for some products in the config dictionary. For software products with unknown “prevalence”, you will see the comment “Unclassified Product”.

Continue reading

PHDays 10: U.S. Sanctions, My Talk on Vulristics, Other Great Talks Related to VM

Today I will talk about the Positive Hack Days conference, which took place on May 20 and May 21 in Moscow. I can say that this was and remains the main event for Information Security Practitioners in Russia.

First of all, I have to say a few words about the sanctions. The organizer of the event, Positive Technologies, is under the sanctions of the US Treasury Department since April 2021 among the “COMPANIES IN THE TECHNOLOGY SECTOR SUPPORTING RUSSIAN INTELLIGENCE SERVICES”. In a press release, the Treasury Department wrote that Positive Technologies hosts large-scale conventions that are used as recruiting events for russian special services. Well, I don’t know exactly what they mean. Maybe they mean PHDays or maybe not. But to say this about PHDays is like saying that any major international conference, Black Hat or RSA, is a recruiting event. This is ridiculous. In my humble opinion, these are some dirty political games. It is sad that reputable information security companies and security researchers are suffering from this.

Now let’s talk about my speech at PHDays 10. This year I had the opportunity to talk for an hour about my pet project – Vulristics. This project can help you prioritize known vulnerabilities. Anything that has a CVE id. There is a full video of my speech. I have uploaded this to my YouTube channel.

Russian version.

And a version that was dubbed into English.

So, if you’re interested, I recommend watching the full video. Here I will simply repeat the main points.

Continue reading