Scanner of quirkiness of local networks. Line-up of mesh scanners

The process of naming the scanning of inconsistencies and re-verification of the okremih nodes or the measure of potential threats.

And it is necessary to reconsider the safety of the blame often - especially, as you can find about great organizations, as you may find valuable information, as the evil-doers may need.

Do not be afraid of such scans and administrators of small businesses - there were more serious attacks launched by hackers in 2017, hundreds of thousands of computers were recognized.

Scanner jamming in quirkiness

For scanning the border on weak areas in the systems of their security fakhivtsi information security zastosovuyut vіdpovіdne software security.

Such programs are called quirky scanners.

The principle of their work is based on the revision of supplements, yak pratsyyuyut, that for some reason the titles of "dir", which could be used by third parties to gain access to important information.

Competently choosing programs that help build conflicts between companies, allowing IT facsimiles to avoid problems with stolen passwords and virishuvati so zavdannya:

• search for a shkidlivy code, which was spent on the computer;
• inventory of software and other system resources;
• creation of zvіtіv, scho to avenge information about the silliness and ways of their adoption.

The headline of the other option is no less than the confirmation of these problems, which can be revealed by simple scanning, and the manifestation of problems, which are impossible for the help of a passive technique. The reverification is followed by three additional mechanisms - header reverification, active probe reverb and attack imitation.

Rechecking headings

The mechanism, the name of which English sound yak "banner check", It is folded from a whole series of scans and gives you the ability to select the songs on the basis of the data that are transmitted to the program-scanner at the request.

The butt of such a re-verification can be the scanning of headings for the help of the Sendmail program, which allows you to change the version of the software, and change the visibility of the presence of problems.

The technique is respected by the simplest and best, ale maє tsіlu low nedolіkіv:

• There is no need for a high efficiency of reverification. More importantly, the attackers can change the information in the headers, looking for version numbers and other versions, as if they were selected by the scanner to remove the visnovkіv. From one side, the imovirnistness of such a change is not too high, from the other side - it’s not varto.
• Impossibility is exactly what is given, what is left at the heading, proof of quirkiness. Nasampered, it is worth the programs, as they are sent at once from the text. In case of used inconsistencies, the version numbers in the headings must be changed manually - unless the retailers simply forget it.
• At the appearance of inconsistency in the upcoming versions of the program navit after that, as it was taken from the front modifications.

Time and again, regardless of the minuses, the fact that the guarantee of the “dir” in the system, the process of rechecking the headers can be called not only the first, but one of the main stages of scanning. Tim is greater, that yoga won't disrupt the work, services, or networks.

Active probing rechecks

The technique, known as "active probing check", is based not on rechecking the headlines, but on the analysis and pairing of digital "snapshots" of programs with information about what is already known.

The principle of її work trochi similar to the algorithm, as if transferring scanned fragments from virus databases.

Up to that group of methods, it is necessary to check the date of creation of the scanned PZ or checksums, which allows you to reconsider in the correctness and integrity of the programs.

In order to save the information about the conflict, special data bases are established to avenge more information, which allow you to overcome the problem and reduce the risk of threatening third-party access to the measure.

This information is sometimes collected by security analysis systems, and software security, the task of detecting attacks. In general, the technique of active probing re-verifications has been developed by such great companies as ISS and, working significantly better for other methods - if you want to implement more foldable, lower re-verification of headings.

Imitation of attacks

Another method is called English mine "exploit check", which can be translated into Russian yak "imitation of attacks".

The re-verification, which is based on additional help, is also one of the options for probing and is based on the search for defects in programs for additional help.

The technique has the same features:

• deaks "dirki" in safety can not detect dots, docks can not defeat the right attack against suspected services and nodes;
• software-scanners revise the headers of the software security at the hour of the fake attack;
• when scanning these data, the quirks appear significantly more sharply, lower in the greater minds;
• imituyuchi attacks, you can know more strife (for example, the stench of the boulders), lower for the help of two previous methods - with the help of the swidkіst vyyavlennya dosit temple, protekoristuvatisya in this way do not zavzhd є dotsіlnym;
• situations that do not allow launching "imitation attacks" are divided into two groups - the threat of causing problems with software maintenance services, which is distorted, but the principle is impossibility to attack the system.

Nebazhano koristuvatisya methodology, as objects of verification є protection of the server with valuable information.

An attack on such computers can lead to serious losses of data and the exit from the operation of important elements in the company, and damages to the renewal of practice can appear too serious, cause damage.

In this way, it is necessary to speed up by other methods of re-verification, for example, by active probing or by re-verification of headings.

Tim, for an hour, at the list of inconsistencies є th so, yakі not to be able to show up without trying to defeat attacks - to them, for example, scalability before attacks like "Packet Storm".

For promotion, such methods of reverification of vimkneni in the system.

Koristuvachevi happen to turn them on independently.

Before software scanners, like the third method of scanning on the difference, introduce systems to the type Internet Scannerі CyberCop Scanner. The first appendix has reverifications in category «Denial of service». If you choose any function from the list, the program will notify you about the unsafe exit from the fret, or the re-engagement of the node that is being scanned, ahead of those that are responsible for the launch of the scan to lie on the coristuvachev.

The main stages of re-verification of quirks

More programs that rely on scanning on the inconsistency, pratsyuє coming rank:

1 Collecting all the necessary information about the measure, with the help of all active attachments in the system and the software running on them. As a rule, the analysis is carried out on the level of one PC, since we will already install it on a new scanner, skipping the entire scan.

2 Trying to know the potential for conflict, zastosovuyuchi special data bases in order to equalize the removal of information from already known types of "dir" in safety. Por_vnyannya vikonuetsya for the help of active probing and rechecking the headings.

3 Confirming the findings of inconsistency, congestion of special techniques– imitation of the singing type of attacks, designed to bring the fact of the presence of the presence of the threat.

4 Generates calls based on the selected hour of the scanned listings describing irritability.

The final stage of scanning is for automatic corrections or for troubleshooting problems. This function is practical in a skin system scanner, and there are more fringe additives for rechecking inconsistencies.

Vіdminnostі v robotі rіznih prog

Deyakі scanners podіlyayu quirkiness.

For example, NetSonar system share them on the fence, add them to the routers, so serious, and local, why add the robotic stations.

Internet Scanner podіlyaє threats on three steps - low, high and medium.

Tsі two scanners may still have a small amount of vіdmіnnosti.

With their help, the sounds are being created, and a sprinkling of groups are being broken up, the skin of which is recognized for specific coristuvachiv - types of cerivniki in organizations.

Moreover, for the first ones, there is a maximum number of numbers, for kerrivnitstva - beautifully designed graphics and diagrams with a small number of details.

At the warehouse of zvіtіv, which are created by scanners, there are recommendations on how to use the known quirks.

Most of this information is found in the data, which is seen by the Internet Scanner program, which is seen cover instructions how to solve the problem of improving the features of various operating systems.

According to different implementations, scanners have that mechanism for fixing malfunctions. So, the System Scanner has a special script for which it launches the administrator to solve the problem. At once, the creation of another algorithm is observed, which can correct the broken changes, as if the first one caused a deterioration in the work or a break out of the fret of the other knots. Most other scanner programs do not have the ability to turn the change back.

Dії administrator z manifestation of strife

To search for “dir” at the security administrator, you can use three algorithms.

First and most popular option- re-verification of the measure for the presence of only potential quirks. Vaughn allows you to get to know the data of the system in advance, without disturbing the work of getting that safe maximum speed of analysis.

Another option- scanning with reverberation and confirmation of strife. The technique takes more than an hour and can cause problems in the robotic software security of computers at least for an hour to implement the attack imitation mechanism.

Method #3 transmitting the choice of all three mechanisms (moreover, with the rights of an administrator, that coristuvacha) and trying to use the inconsistency on the other computers. Through low speed and risk, to bring the software security into harmony with this method is more common - mainly, for the obviousness of serious evidence of the obviousness of "dir".

Possibility of modern scanners

The main drivers are up to the software scanner, which ensures the re-checking of the system and її okremі vuzlіv on razlivosti, є:

• Cross-platform or support for a number of operating systems. Due to the obviousness of such a peculiarity, it is possible to reconsider the merezh that is formed from computers with different platforms. For example, for systems like UNIX.
• Possibility to scan a sprat of ports at once– such a function significantly changes the hour for rechecking.
• Scanning all types of software, as if it sounds better before attacks from the side of hackers. Before such software, the company's products (for example, a package of MS Office add-ons) are included.
• Re-verification of the whole fabric and other elements without the need to run a scan for the skin node of the system.

Most of the current scanning programs can intuitively understand the menu and easily adjust to the exact date.

So, in practice, such a scanner allows you to put together a list of nodes and programs that are being checked, specify programs for which updates are automatically installed when inconsistencies are detected, and set the frequency of scanning and creation of calls.

Once the scanner calls are cancelled, the administrator will be able to start repairing threats.

Among the additional features of the scanners, you can see the possibility of saving traffic, as if you need more than one copy of the distribution kit and spread it on all computers of the network. Another important function is the transfer of saving the history of past revisions, which allows you to evaluate the work of nodes at the same hourly intervals and evaluate the risks of new problems with safety.

Scanners

The range of software scanners is great.

All stinks look at the same kind of functionality, efficiency, inconsistency and price.

To assess the feasibility of such programs, look at the characteristics and features of five of the most popular options.

GFI LanGuard

The GFI Software product is ranked as one of the leaders in the world's information security market, and its products are included in the ratings of the most successful and most effective programs in case of revision.

One of such programs, which can secure the security of a number of computers, is GFI LanGuard, to the features of which one can see:

• I’ll get a quick assessment of the port at the system;
• Poshuk unsafe patches on computers merezhі and fenced for the installation of programs, additions and patches;
• the ability to scan as many computers and servers as possible and log in to the system virtual machines and find connected smartphones;
• folding over the results of scanning the report from the designated quirks, their parameters and methods of adoption;
• Intuitively understand the ability to set up automatic work - if necessary, the scanner starts at the first hour, and everything is fixed without the administrator's involvement;
• the possibility of detecting threats, changing the system, updating the allowed software security and removing the protection of the programs.

To the vіdmіnnosti tsgogo scanner vіd bіlshоі analogues can be called vstanovlennja novlenja and patchіv practically for any operating system.

These features and other advantages of GFI LanGuard allow you to be on the top rows of the ratings of the programs for jokes of tribal quirks.

Given the versatility of the scanner, it is relatively small, and it is available to small companies.

Nessus

The Nessus program was first released 20 years ago, but since 2003 it has become paid.

The monetization of the project did not make it less popular - the efficiency and speed of the robotic skin administrator in the world is the most stagnant scanner.

Prior to the selection of Nessus, the following must be submitted:

• postiyno onovlyuvana base of strife;
• easy to install and manual interface;
• effective detection of security problems;
• selection of plug-ins, skins from which they design their own - for example, you can scan OS Linux safely, or start re-checking only headers.

Dodatkova feature of the scanner- Possibility of choosing tests, created by koristuvachs for the help of special software. At the same time, the program had two serious shortcomings. The first one is the possibility of exiting the exploitation of existing programs when scanning for the help of the “imitation attacks” method, the other one is to reach the highest level of versatility.

Symantec Security Check

The Security Check program is a Symantec-free scanner.

Among the functions of the varto, searches are not only for silliness, but for viruses - including macro viruses, trojans and Internet bugs. In fact, the supplement consists of 2 parts - the Security Scan scanner, which provides security measures, and the antivirus Virus Detection.

Before the program is over, it is easy to install and work through the browser. Among the minuses is the low efficiency - the universality of the product, which allows it to swindle the virus, to kill it, which is not suitable for re-checking the mesh. More koristuvachiv recommend vikoristovuvat tsey scanner only for additional reverification.

XSpider

The XSpider scanner is manufactured by Positive Technologies, representatives of which say that the program does not only show up in the presence of inconsistencies, but it is better to know that there are no threats yet.

To the features of the program, you can add:

• effective manifestation of "dіr" in the system;
• the possibility of remote work without the installation of additional software;
• creation of reports on various issues;
• updating the base of strife and software modules;
• one-hour scanning of a large number of nodes and working stations;
• saving the history of revisions for further analysis of problems.

Also, the varto indicates that the variant of the scanner is available in pair with the Nessus program. Although higher, lower at GFI LanGuard.

QualysGuard

The scanner is considered to be rich in functionality and allows you to take reports from an assessment of the level of inconsistency, an hour on their day and a time to “threat” the business.

Product distributor, Qualys, Inc., delivers the program to hundreds of thousands of supporters, creamers, and half of the largest companies in the world.

Visnovki

With the improvement of a wide range of add-ons for scanning merezhі and її vozlіv on razlivostі it will be easier for the administrator's robot.

Now it is no longer necessary to independently launch all the scanning mechanisms manually - just ask to know the correct addition, choose the method of reverification, improve and speed up the recommendations of the removed sound.

Select the appropriate scanner for the functionality of the program, the effectiveness of the search for threats (as it stands for the warnings of the coristuvachiv) - and, which can be important, for the price, as the fault is due to the protection of information, protection.

The problem of the epidemic of mesh worms is relevant for any local mesh. Early on, you can blame the situation, if the wreckage penetrates into the SCRAP, or a mail worm, which is not detected by the blocked anti-virus. Merezhevy virus spreads through the LAN through the operating system that is not closed at the time of infection, or through writable resources. The mail virus, as it is called, is spread by electronic mail for the mind, that the vin is not blocked by the client antivirus and by the antivirus on the mail server. In addition, the LAN epidemic may be organized in the middle as a result of insider activity. In these articles, we can look at practical methods for the operational analysis of computers LOM from zastosuvannyam zasobiv, zokrema behind the help of the author's utility AVZ.

Problem statement

In the event of an outbreak of the epidemic, or of out-of-state activity in the measure, the administrator is guilty of promptly violating at least three tasks:

• detect infected PCs in a merchant;
• know the details of the shkidlivoї programs for the introduction to the anti-virus laboratory and the development of the anti-virus strategy;
• Vzhitit zahodіv to block the spread of the virus in the LOM and yogo iznischennya on infected computers.

At the time of the insider's activities, the main steps of the analysis are identical and most often carried out to the point of revealing the third-party software installed by the insider on the LOM computers. As an example of such software security, one can name remote administration utilities, keyboard shpiguny and different Trojan bookmarks.

Let's take a look at the report on the decision of the skin from the tasks set.

Search for PC infections

To search for PC infections in a merchant, at least three methods can be used:

• automatic remote analysis of PC - retrieving information about running processes, downloading libraries and drivers, searching for characteristic patterns - for example, processes or files from given names;
• tracking PC traffic for additional sniffer - given method It is even more effective for vilov spambots, mail and tethered worms, and the main foldability of the sniffer is due to the fact that the current CLOSE will be based on the switches and, as a result, the administrator cannot control traffic monitoring. The problem virіshuєtsya EYAD Shlyakhov: starting at snіfera marshrutizatorі (scho dozvolyaє zdіysnyuvati monіtoring obmіnu danimi PC Internet access) that zastosuvannyam monіtoringovih funktsіy komutatorіv (bagato Suchasnyj komutatorіv dozvolyayut priznachiti port monіtoringu on yaky dublyuєtsya trafіk one abo dekіlkoh portіv commutators, zaznachenih admіnіstratorom);
• Dosledzhennya navantazhennya on the merezha - at times manually zastosovuvaty іntelektualnі kommutatori, yakі allow yak otsіnyuvati navantazhennya, and y far off іdklyuchati appointed by the port administrator. This operation is simply asked for information from the administrator of the card, de є data about those, if the PC is connected to the main ports of the switch and de stink roztashovani;
• stasis of pasta (honeypot) - it is strongly recommended to create a sprat of pasta at the local yard, so as to allow the administrator to bring out the epidemic in his own time.

Automated analysis of the PC in the merezhі

Automatic PC analysis can be carried out in up to three main steps:

• carrying out a complete follow-up of the PC - running processes, downloading libraries and drivers, autorun;
• carrying out operational obstezhennya - for example, search for characteristic processes or files;
• quarantine of objects according to the same criteria.

All tasks can be downloaded for additional author's utility AVZ, which is licensed to run the zipped folder on the server and support the script language for automatic PC wrapping. To run AVZ on the computers of the coristuvachs, it is necessary:

1. Place AVZ in the read-only folder on the server.
2. Create LOG and Qurantine subdirectories in your papacy and allow the koristuvachs to write to them.
3. Run AVZ on the LOM computers for the help of the rexec utility or the logon script.

The launch of AVZ on krotsi 3 is responsible for the following parameters:

\\my_server\AVZ\avz.exe Priority=-1 nw=Y nq=Y HiddenMode=2 Script=\\my_server\AVZ\my_script.txt

For this mode, the Priority=-1 parameter lowers the priority of the AVZ process, the parameters nw=Y and nq=Y switch the quarantine to the "marginal launch" mode (for this mode, a folder directory is created in the quarantine folder for the skin computer, , HiddenMode=2 punishes access to the GUI and control of AVZ, and, on the other hand, the most important Script parameter is set outside the script name with commands, like AVZ will be found on the computer of the host. The script language AVZ is easy to download and is focused exclusively on the completion of the task of the computer's installation and yogo art. To simplify the process of writing scripts, you can create a special script editor, which can help you promptly, master the creation of typical scripts, and check the correctness of the written script without starting it (Fig. 1).

Mal. 1. AVZ script editor

Let's look at three types of scripts, which can become useful in the course of the fight against the epidemic. First of all, we need a script for retrieving the PC. The task of the script is to carry out the follow-up of the system and create a protocol with the results in the task of the papacy. The script may look like this:

ActivateWatchDog(60 * 10);

// Start scanning and analysis

// System follow-up

ExecuteSysCheck(GetAVZDirectory+

'\LOG\'+GetComputerName+'_log.htm');

// Completion of the AVZ robot

When running this script in the LOG folder (it is transferred that it was created in the AVZ catalog on the server and is available for writing to the correspondents), HTML files will be created with the results of the subsequent computer analysis in the database, moreover, to ensure the uniqueness of the protocol, it will be included dosl_dzhuvany computer. On the top of the script, the command to turn on the watchdog timer is set, which is to complete the AVZ process after 10 minutes at a time, which means that the script will fail.

The AVZ protocol is handy for manual testing, while the protocol for automated wine analysis is a bit adventitious. In addition, the administrator is often aware of the file of a slow program and it is not necessary to check the presence of the day given file, and for obviousness - place before quarantine for analysis. You can zastosuvat the script of such a look at this vipadku:

// Increase the watchdog timer by 10 minutes

ActivateWatchDog(60 * 10);

// Search for a random program on my name

QuarantineFile('%WinDir%\smss.exe', 'suspect on LdPinch.gen');

QuarantineFile('%WinDir%\csrss.exe', 'suspect on LdPinch.gen');

// Completion of the AVZ robot

This script has the QuarantineFile function, so that it can try to quarantine the specified files. The administrator is no longer required to analyze the quarantine (folder Quarantine\Merezhevoe_PC_name\quarantine_date\) for the presence of quarantined files. Check that the QuarantineFile function automatically blocks quarantined files that are based on secure AVZ or on the basis of the Microsoft EDS. For practical zastosuvannya this script can be thoroughly - organize the capture of file names from an existing text file, convert the found files behind the AVZ databases and form a text protocol from the results of the work:

// Search for a file with assigned names

function CheckByName(Fname: string) : boolean;

Result:= FileExists(FName) ;

if result then begin

case CheckFile(FName) of

1: S:= ', access to the file is blocked';

1: S:= ', know as Malware ('+GetLastCheckTxt+')';

2: S:= ', suspected by file scanner ('+GetLastCheckTxt+')';

3: exit; // Safe files are ignored

AddToLog('File '+NormalFileName(FName)+' may be suspected im'ya'+S);

//Add assigned file to quarantine

QuarantineFile(FName,'suspect file'+S);

SuspNames: TStringList; // List of suspected file names

// Rechecking files according to the updated data base

if FileExists(GetAVZDirectory + 'files.db') then begin

SuspNames:= TStringList.Create;

SuspNames.LoadFromFile('files.db');

AddToLog('Database is occupied - number of records = '+inttostr(SuspNames.Count));

// Joke loop

for i:= 0 to SuspNames.Count - 1 do

CheckByName(SuspNames[i]);

AddToLog('Compassion for the list of filenames');

SaveLog(GetAVZDirectory+'\LOG\'+

GetComputerName+'_files.txt');

For a robotic script, you need to create it in the AVZ folder accessible to koristuvs for recording catalogs Quarantine and LOG, as well as text file files.db - skin row of the file will be avenged on the name of a suspicious file. Filenames can include macros, the largest of which is %WinDir% (way to papacy Windows) and %SystemRoot% (way to the System32 folder). The second direct analysis can be to automatically follow the transfer of processes launched on the computers of the cores. Information about the running of the process is in the system follow-up protocol, but for automatic analysis it is better to stop the next fragment of the script:

procedure ScanProcess;

S:=''; S1:='';

// Update the list of processes

RefreshProcessList;

AddToLog('Number of processes = '+IntToStr(GetProcessCount));

// Loop analysis of the selected list

for i:= 0 to GetProcessCount - 1 do begin

S1:= S1 + ',' + ExtractFileName(GetProcessName(i));

// Look for a process on im'ya

if pos('trojan.exe', LowerCase(GetProcessName(i))) > 0 then

S:= S + GetProcessName(i)+',';

if S<>‘’then

AddLineToTxtFile(GetAVZDirectory+'\LOG\_alarm.txt', DateTimeToStr(Now)+' '+GetComputerName+' : '+S);

AddLineToTxtFile(GetAVZDirectory+'\LOG\_all_process.txt', DateTimeToStr(Now)+' '+GetComputerName+' : '+S1);

After the processes in this script, it is impossible to see the ScanProcess procedure, so it's not easy to place it in your script. The ScanProcess procedure will have two lists of processes: complete list processes (for further analysis) those processes, which, according to the administrator, are considered unsafe. In this way, for demonstration, the process named trojan.exe is looked at as not safe. Information about unsafe processes is added to the text file _alarm.txt, data about all processes - to the file _all_process.txt. It is easy to note that it is possible to simplify the script by adding, for example, a reverification of files in processes with improved secure files and a reverification of names of process files from an existing database. The procedure is stored in AVZ scripts, Shaho Wickwork in Smolenskogergo: ADMINSINTER PERIODICLE VIVCHEє ZIBRANY IINFORTY І MODIFIKUKU Script, Daluitsa in nym'ya processing the fences of the grade of Program, scho . In addition to zastosuvannya the list of processes - search for a PC, on some daily binding process, for example, an antivirus.

At the end, let's look at the rest of the core scripts in the analysis - a script for automatic quarantine of all files that are not recognized on the basis of secure AVZs and on the basis of the Microsoft EDS:

// Weakening the auto-quarantine

ExecuteAutoQuarantine;

Automatic quarantine monitors the launching of the process and the acquisition of the library, services and drivers, about 45 methods of autorun, browser extension modules and explorer, SPI / LSP hacks, scheduling tasks, system hacks, etc. Quarantine is especially those that files are added to the new one with retry control, so the auto-quarantine function can be deleted differently.

The advantage of automatic quarantine lies in the fact that, for additional help, the administrator can quickly pick up potentially suspected files from your computers for their education. The simplest (albeit more effective in practice) form of filing files is that it is possible to recheck quarantined kilkom with popular antiviruses as the maximum heuristics. It means that launching an auto-quarantine on as many as hundreds of computers at once can create a high level of pressure on a network and on a file server.

Follow up traffic

Follow-up traffic can be carried out in three ways:

• hand for help sniffers;
• in the automatic mode - at the same time the sniffer collects information, that both protocols are processed either manually, or by the deakim PZ;
• automatically for the help of intrusion detection systems (IDS) such as Snort (http://www.snort.org/) or its software and hardware counterparts. In the simplest way, IDS consists of a sniffer and a system that analyzes information that is collected by a sniffer.

The system for detecting intrusion by an optimal way, chips allows you to create a set of rules for detecting anomalies in the network activity. Another її perevaga polagaє in the offensive: most of today's IDS allow agents to monitor traffic on a number of network nodes - agents collect information and transmit it її. At times, the sniffer has to be manually checked by the console UNIX sniffer tcpdump. For example, to monitor activity on port 25 (SMTP protocol), it is enough to run the sniffer from the command line like:

tcpdump -i em0 -l tcp port 25 > smtp_log.txt

At times, packets are stored through the em0 interface; Information about dropped packets is stored in the smtp_log.txt file. The protocol is broken, just analyze it manually, this butt analysis of activity on port 25 allows counting PCs with active spambots.

Honeypot jamming

Like a pasta (Honeypot), you can beat an old computer, the productivity of which does not allow you to stop it for the cherry-picking tasks. For example, the author's merezhі like pasta successfully zastosovuetsya Pentium Pro with 64 MB operational memory. On this PC, install the most widely used operating system in LOM and choose one of the three strategies:

• Install the operating system without update packages - it will be an indicator of the appearance of an active worm worm in the merezha, which exploits whether it’s known strife for the operating system;
• install the operating system with the updates that are installed on other PCs – Honeypot will be an analogue of any workstations.

Skin from the strategy may have both its pluses and minuses; the author is more important than zastosovuє variant without updates. After creating the Honeypot next create a disk image for swedish renewal systems after її ushkodzhennya shkіdlivimi programs. As an alternative to the disk image, you can use the system to change the ShadowUser type and its analogs. Having prompted the Honeypot, next to lie, that a number of worms are spying on computers, that they infect by scanning the IP range, that they are infected by the IP address of the infected PC (expanded typical strategies - XXX*, XXX+1.*, XXX-1. *), - also, ideally, Honeypot can be in the skin of the environment. In the yakost additive elements To prepare the language, you need access to a number of folders on the Honeypot-system, and in the folders, you should put a number of files in different formats, the minimum number is EXE, JPG, MP3.

Naturally, having created the Honeypot, the administrator is obliged to respond to the robot and respond to any anomalies that have been detected on this computer. As a way to register changes, you can tag a reviewer, and you can tag a sniffer to register the activity. An important point is those that most sniffers have the ability to set up notifications to the administrator when the specified activity of the network is detected. For example, in the CommView sniffer, the rule transmits a “formula” statement that describes the cross-border packet, or sets the number of criteria (strength greater than the specified number of packets or bytes per second, editing packets on a different IP or MAC address) - fig. 2.

Mal. 2. Creation and improvement of pro-measurement activity

How to get ahead of yourself in the best way to vikoristovuvaty alerts to electronic mail, which are forced on Postal screenshot administrator, - from whom it is possible to take operational notifications from the pastures at the border. In addition, as the sniffer allows you to create a sprat ahead of time, it can sense the differentiation of the least activity, seeing the robot electronic mail, FTP/HTTP, TFTP, Telnet, MS Net, traffic moves over 20-30 packets per second for any protocol (Fig. 3).

Mal. 3. Sheet-notification that is enforced
at the time of the manifestation of packages, how they comply with the given criteria

When organizing the pasta, it’s not bad to place on it a sprat of stashes in the border of different border services, or install an emulator. The simplest (and cost-free) is the APS author's utility, which works without installation. The principle of APS work is to start listening to anonymous descriptions from the base of TCP and UDP ports, and at the moment of connection to a given or randomly generated output (Fig. 4).

Mal. 4. APS smutty utility

A screenshot is pointed at the little one, the captures are made for an hour of real APS spratsyuvannya in Smolenskenergo scrap. As you can see on the little one, a connection probe of one of the client computers on port 21 was fixed. APS maintains protocols and can inform administrators of notifications about registration of connection to control ports, which is handy for prompt detection of scans.

When setting up the Honeypot, it's also a good idea to check out online resources on this topic, especially at http://www.honeynet.org/. At the Tools website (http://www.honeynet.org/tools/index.html) you can find a number of tools for registering and analyzing attacks.

Remote access to shkіdlivih programs

In an ideal situation, after the detection of sensitive programs, the administrator sends them to the anti-virus laboratory, they are promptly scanned by analysts and the signatures are added to the anti-virus databases. Digital signatures are used on the PC through automatic updates and the antivirus is viroable automatically deleted shkіdlivih programs without the involvement of an administrator

• from low independent views of the administrator, there are several reasons for the formation of an anti-virus laboratory;
• Insufficient efficiency of the anti-virus laboratory - ideally, the introduction of a minimum of 1-2 years to the base is more than 1-2 years, so that signature bases can be updated at the intervals of the working day. However, not all anti-virus laboratories work so quickly, and it is possible to check a few days for an update (for rare cases, you can check the dates);
• high practicality of the antivirus - low speed of programs after activation, the antiviruses will be lowered, or they will destroy the robot in every possible way. Classic applications - making entries to the hosts file that block the normal operation of the system, auto-updating the anti-virus, remote processes, services and anti-virus drivers, poshkodzhennya їkh shtoshtuvan.

Otzhe, in rehabilitated situations, you have to deal with shkidlivimi programs manually. Most of the time, it’s awkward, shards for the results of investigating computers in case of infected PCs, and navit new names files of shkіdlivih programs. Only a little more work is being done at a distance. Even though the program is not protected from remote access, it can be protected by the AVZ script of the offensive type:

// View file

DeleteFile('my'file');

ExecuteSysClean;

This script sees one task file (or a number of files, the DeleteFile command shards in the script can be unbounded) and then automatically cleans the registry. In a more foldable way, the program can be protected from view (for example, changing its files and registry keys) or masquerading as a rootkit technology. For some reason, the script folds up and looks like this:

// Antirootkit

SearchRootkit(true, true);

// AVZGuard control

SetAVZGuardStatus(true);

// View file

DeleteFile('my'file');

// BootCleaner protocol warning

BC_LogFile(GetAVZDirectory + 'boot_clr.log');

// Import the BootCleaner task to the list of files deleted by the script

BC_ImportDeletedList;

// BootCleaner activation

// Heuristic System Cleanup

ExecuteSysClean;

RebootWindows(true);

This script includes active anti-rootkits, zastosuvannya system AVZGuard (the blocker of the activity of scrambled programs) and the system BootCleaner. BootCleaner - is a driver that monitors the tasks of objects with KernelMode for an hour of recapture, at an early stage of system capture. Practice shows that a similar script can override more powerful programs. To install malware that changes the names of their own files during skin re-entry, - if the system files are detected, the files can be renamed. In this case, you will need to manually scan the computer, or create your own signatures with a smart program (the butt implements the signature search for the description script in the AVZ dowry).

Visnovok

In these articles, we have looked at some practical methods of combating the epidemic of LOM manually without using anti-virus products. Most of the descriptions of the methods can also be blocked for phishing a third-party PC and Trojan bookmarks on the computers of the hosts. If you are guilty of difficulties due to the search for high speed programs or the creation of scripts, the administrator can speed up the "Help" section of the forum http://virusinfo.info or the "Fight against viruses" section of the forum http://forum.kaspersky.com/index.php?showforum= 18. Recording of the protocols and help in the investigation is carried out on both forums free of charge, analysis of the PC is carried out according to the AVZ protocols, and more vipadkiv of the investigation is carried out before the inspection of the AVZ script on the infection of the PC, compiled by the witnesses of these forums.

Security scanners automate security audits and can play an important role in your IT security by scanning your network and websites for various security risks. Qi scanners can also generate a list of priorities quietly, as if you are guilty of correcting, as well as describe the inconsistencies and press whenever you want. It is also possible that the deacons of them can automate the process of usunennya strife
10 best tools for evaluating irritability

• Comodo HackerProof
• OpenVAS
• Nexpose Community
• Nikto
• Tripwire IP360
• Wireshark
• Aircrack
• Nessus Professional
• Retina CS Community
• Microsoft Baseline Security Analyzer (MBSA)

1. Comodo HackerProof
   Comodo HackerProof is regarded as a revolutionary tool for scanning bugs that allows you to fix security problems. Below are some of the main points, so you can take a look at HackerProof:

• Schodenne skanuvannya strife
• PCI Scanning Tools Notified
• Drive-by attack

• OpenVAS supports different operating systems
• The OpenVAS scanning engine is constantly being upgraded for additional tests for streak resistance
• OpenVAS-scanner is a complex tool for evaluating inconsistencies, which identifies problems associated with security on the servers of those other outbuildings of the network
• The OpenVAS Services are free of charge and are licensed under the GNU General Public License (GPL)

• Nexpose can be built into the Metaspoilt framework
• Vіn vrakhovuє vіk strife, for example, what a shkіdlіy nabrіr vikoristovuєtsya in the new, yakі perevagi vіn vikoristovuє and so on.
• Vіn building automatically reveal and scan for new buildings and assess the level of influx when accessing the building
• In control of the volatility in the real time mode, knowing yourself with the remaining problems with new tributes
• The greater number of scanners of quirks is to classify the risks, which are the middle, high, and low scales.

• Vіn also vikoristovuєtsya for reverification of old versions of the server, as well as for reverification of any specific problems that affect the server's work
• Nikto wins for conducting various tests on web servers for scanning different elements, such as a few unsafe files
• Vіn is not respected by a "quiet" tool and victorious for web server testing in a minimum hour
• Winning for scanning different protocols, such as HTTPS, HTTP also. This tool allows you to scan a port of a single server.

• Vіn vikoristovuє large-scale manifestation of a measure of manifestation of all quirks, configurations, additions, fringe hosts just.
• Vіn vikoristovuє vіdkritі standards to help in the integration of risk management and volatility in business processes

• Wireshark wins in various streams, such as establishments, enterprises, initial mortgages, etc., to look into the margins at a low level
• Fixing problems on the Internet and solving offline analysis
• It works on various platforms such as Linux, masOS, Windows, Solaris, etc.

• Tools for merging audit
• Vіn pіdtrimuє kіlka OS, yak-from Linux, OS X, Solaris, NetBSD, Windows too.
• We focus on various WiFi security bugs, such as packet monitoring and data, driver testing, card replay attacks, malware, etc.
• With Aircrack, you can recover the keys you've spent by storing data packets

• Tse zabіgaє penetration merezh z hackerіv way of assessing frivolities in the next hour
• Vіn can skanuvati vzlivostі, yakі allow vіddaleno zlamati confidential data from the system
• We support a wide range of operating systems, Dbs, add-ons and a number of other outbuildings in the middle of the cold infrastructure, virtual and physical facilities
• Vіn buv vstanovleny i vikoristovuєtsya millions koristuvachіv vsomu svіtі to assess strife, problems zmіnoyu too thin.

• For its capabilities, such as soundness about performance, correcting that performance configuration, Retina CS ensures the assessment of cross-platform influx
• Vin enables automatic scoring for databases, web add-ons, workstations and servers
• Retina CS is a program with a clear code that secures the complete support of virtual environments, such as vCenter integration, scanning virtual additions and etc.

• MBSA allows you to increase the level of security, extending the group of computers for whatever incorrect configuration.
• You can scan more security system updates, update packages, and storage update packages that override critical additional updates.
• Vіn vikoristovuєtsya by organizations of medium and small size for the management of the security of their measures
• After scanning the MBSA system, we can give a solution to a solution, or propositions related to common frivolities

How can you reconsider what was enough and all the stinks are even more unsafe for systems that were weaker before them. It is important not only to constantly update the system in order to get caught up in new quibbles, but also be inspired by the fact that your system does not avenge long-used quibbles, as hackers can win.

Here, Linux squabble scanners come to the rescue. Tools for the analysis of quirks are one of the most important components in the security system of a skin company. Re-verification of supplements and systems for the appearance of old quibbles is an obov'yazkova practice. These articles have the best slur scanners with a clear input code, so you can use it to detect slurs in your systems and programs. All the stinks are in full swing and can be victorious as the most prominent coristuvachs, as well as in the corporate sector.

OpenVAS, or Open Vulnerability Assessment System, is a complete platform for quizzes, as it can be found with an open code. The program is based on the output code of the Nessus scanner. On the other hand, the scanner was expanding with the open code, and then the retailers hid the code, and also, in 2005, on the basis of the Nessus version of the OpenVAS creations.

The program is composed of server and client parts. The server, which performs the main work of scanning systems, runs only on Linux, and client programs support Windows, and the server can be accessed via a web interface.

The core of the scanner has more than 36,000 different checks on the variance and is updated today with the addition of new ones that have recently appeared. The program can show inconsistency in running services, as well as spoof incorrect settings, for example, the lack of authentication or even weak passwords.

2. Nexpose Community Edition

Another tool to check for linux silliness with open source code that is being developed by Rapid7, the same company that released Metasploit. The scanner allows you to detect up to 68,000 frills, as well as pick up more than 160,000 hemstitches.

The Comunity version is still free, but it can be upgraded to scan up to 32 IP addresses and less than one copy at the same time. It is also necessary to update the license for a short time. There is no scanning of web add-ons, then the database of contentions is automatically updated and information about the contention of Microsoft Patch is taken.

The program can be installed on Linux, and on Windows, and the recovery can be done via a web interface. For additional help, you can set the scanning parameters, ip address and other necessary information.

After the completion of the recheck, you will get a list of inconsistencies, as well as information about the installed software security and operating system on the server. You can also create and export calls.

3. Burp Suite Free Edition

Burp Suite is a web crawler, Java spellings scanner. The program consists of a proxy server, a spider, a tool for generating requests and for testing stress tests.

For Burp's help, you can look at web add-ons. For example, for the help of a proxy server, you can change and look at the traffic call that needs to be passed, as well as modify it if necessary. Allow me to simulate a lot of situations. The spider helps to know the web resistance, and the query generation tool - the stability of the web server.

4. Arachni

Arachni is a full-featured framework for testing web zastosunkiv, writing in Ruby, which expands with open source code. We allow you to evaluate the security of web-sites and sites, for various penetration tests.

Program Pіdtrimє Vicannune Scanuvannya Z Avtentifіkatsіyu, Shalshtovanya Zaglovkіv, P_DTRIMKOE ZININI ASER-AGENT, PІDTRIMKA VENKENNYY 404. CRIM, MAE Web Intrfeisa is the command of the team row, Scanuvanna can be subjuginati, and Potimy to cloak South Schwidko.

5. OWASP Zed Attack Proxy (ZAP)

OWASP Zed Attack Proxy is another comprehensive tool for spying on web addons. All standards for this type of programming are supported. You can scan the site, rewrite the structure of the site, search for inconsistencies, check the correctness of the processing of repeated requests for incorrect data.

The program can work for https, as well as support different proxies. The rest of the program is written in Java, so it's easy to install and twist. Cream of basic capabilities, є large number plugins that allow even more functionality.

6. Claire

Clair is a tool to look for linux silliness in containers. The program will remove the list of quirks, which can be unsafe for containers and ahead of the coristuvacha, as such quirks were revealed in your system. Also, the program can be updated, as there are new inconsistencies, which can make containers unsafe.

The leather container is checked once and it is not necessary to run it for this check. The program can extract all necessary data from a closed container. The numbers of data are saved in the cache, so that the mother can tell about the strife of the future.

7. Powerfuzzer

Powerfuzzer is a fully functional, automated and customizable web crawler that allows you to override the response of web programs to incorrect data and repeated requests. The tool supports only the HTTP protocol and can detect such inconsistencies as XSS, SQL injection, LDAP, CRLF and XPATH attacks. Also, pardoning 500 pardons is expected, as they can be evidence of incorrect adjustment or cause a problem, for example, buffer overflow.

8.Nmap

Nmap is not a known quirk scanner for Linux. This program allows you to scan the border and recognize it, how the universities are connected to it, and also how the services are launched on them. Tse don't give secondary information about inconsistency, then you can use some of the software security, you can be irritable, try to sort out weak passwords. Also, it is possible to use special scripts, which allow you to assign deeds of inconsistency in the singing software.

Visnovki

At this article, we have looked at the best linux sleaze scanners, stinks allow you to trim your system and programs at the latest security. We looked at programs that allow you to scan the operating system itself or web add-ons and sites.

At the end, you can look at the video about those that are scanners of splendours and more stench you need: