New Parser for foundstone - foundscan mcafee

Document created by aner@we-can.co.il on Sep 28, 2010
Version 1Show Document
  • View in full screen mode

I have build a new FoundStone parser (fs.sdkibdatabase) which is replacing the arcsight`s out of the box foundscan agent.
The main reason is bcz the Foundscan parser is missing some information or dedicated info which
is critical for my customer.
The parser is ID based and including several NON-ANSI joins from different tables of foundstone DB.
The main issue is to monitor only the vulns from the vulnsfound table and generate
a full report of:
1. clients without av real-time scan
2. clients with an old signature.
3. clients with old av version
4. clients infected by virus (correlated with SEP11)
5. clients with no AV installed - it`s not a feature of the foundstone DB (bcz foundstone tells you by default what you have and not what you dont have). We managed to get a script from mcafee for DB update
and than get the value of AV NOT INSTALLED in the clients (using diff parser - not included).
6. non accpeted softwares used by clients.
7. weak client passwords
8. full vulnerabily per each client

* map file is included to map client ALIVE or NOT ALIVE

another parser (access.sdkibdatabase) is for generate a report of clients which the Foundstone cannot
access and scan.

you are welcome to test it on your system.

Aner, We! Secure (israel)
aner@we-can.co.il

Attachments

Outcomes