Frequently Asked Questions

What are the benefits running your audits?
What are the auditing service options?
What are some of the common vulnerabilities found?
Your service is too expensive!
Can other people see my audit results?
Will this guarantee the security of my network?
I have a firewall. Do I need this service?
I have my own vulnerability scanner. Why would I need yours?
Can I scan anyone's machine?
Can you email me the audit results?
Which platforms do you audit?
Will my network crash as a result of an audit?
How long does it take to run an audit?
What is CVE?
What are channels?
What are the well known services and ports?
Why don't you always scan all TCP and UDP ports?
Why are you using cookies?
Why did you falsely detect application X to be vulnerable
Can you provide some testimonials or references?
Questions and Confidentiality

What are the benefits of running your audits?
Attracting thousands of users all over the world, Security Audits are the most comprehensive, up-to-date and cost-effective security auditing services on the internet. The easy-to-use tool
What are the auditing service options
We provide a number of different service levels and types of subscriptions. A price & feature comparison provides a quick overview of what you get with the different packages. The 5 different types of audits available:
  1. Basic Audit: a TCP port scan of over 1500 ports;
  2. Single Vulnerability Test, a selection of 99761 different vulnerability tests;
  3. Desktop Audit: a TCP port scan of over 1500 ports, and runs 6098 vulnerability tests in DoS, Windows, Backdoors, Misc. & Firewalls categories;
  4. Standard Audit, providing you with a Basic Audit (port scan) and execution of all 99761 available vulnerability tests;
  5. Advanced Audit, providing you with a 65,535 TCP port scan and execution of all 99761 available vulnerability tests;

Our No Risk audit is equivalent to the Standard Audit in its execution, except that we don't show you the details of the problems we found. This is useful as a way of determining whether or not you have any problems before you decide to buy any of our services.

Your service is too expensive!
Your entitled to your opinion. However, we ask you to consider the following:

Consider the following services: We feel these prices are second to none the industry.

Can other people see my audit reports?
No. Only you can see the results of your audit. Audit reports are generated based on scan results in our local databases. The only way you get to see the audit report is by logging in to your account on our secure SSL server.

What are some of the common vulnerabilities found?
The problems we routinely find usually fall into one of the following areas:


Will this guarantee the security of my network?
No. The reports give you information as to potential areas to examine for security concerns, but you must still take the necessary steps to secure your network.

I have a firewall. Do I need this service?
Firewalls are great for restricting access to your network, but firewalls cannot prevent all problems. Two of the most common problems with firewalls are For a list of the firewall specific tests available, click here.

I have my own vulnerability scanner. Why would I need yours?
There are many scanners available, both commercial and open source. The benefit of using this service, however, is not in the specific technology being used, but that it provides:
Can I scan anyone's machine?
No. You may only scan the machine which you own. Normally, that means the machine from which you are browsing.

If you wish us to scan a machine that you cannot surf from (e.g. a corporate web server), use the IP Permissions form to submit the range of IPs that you wish to be able to audit. After we confirm that you are authorized to audit the requested IPs, we'll grant your account priviledges to audit those IPs regardless of where you are surfing from. Note: we offer this service only to customers that purchase auditing services.

Can you email me the audit results?
We will provide you with an email alert indicating that a scan has been completed. However, for security reasons, we will not email you the results, since email is an insecure way of sending information.

Even if we launch an audit on your behalf, the audit is run out of your account on our system, and the report is available for pick up from the same account.

Which platforms do you audit?
Our service has tests for virtually every platform out there, and is not limited to one particular operating system or application suite. You will find tests for Windows, Linux, Unix, Macintosh, Web servers, Database products, and more. If it can be remotely tested, we try to have the test for it available.

Will my network/system crash as a result of an audit?
We certainly hope not, but ultimately there are no guarantees. Bear in mind that an audit is considered to be an intrusive operation.

The different audits have different risk levels associated with them. Our Basic Audit is a port scan that should not impact anyone's system. It is relatively low bandwidth (<50K at peak), and if it does crash your system, you should definitely be looking at doing something about this, since it is quite likely you will be port scanned by someone in the future.

A number of the vulnerability tests are denial of service attacks that are designed to test the integrity of your hardware and software. These tests focus on known problems on various computer systems, and may impact equipment it is aimed at, such as routers, firewalls, etc. For a description of the various DoS attacks included in the test suite, check here. None of the DoS tests involve deliberate attempts to flooding your bandwidth (a trivial, non-preventable attack). DoS tests are disabled by default to reduce the likelihood of your system crashing, but you may enable them at your own discretion.

How long does it take to run an audit?
This depends on the type of audit you launched, the network between us and you, and how your system is configured. For unprotected (no firewalls or packet filtering), the times are roughly

For systems that are shielded by packet filtering of one form or another, the times are closer to Regardless of how long it takes, when an audit is complete, we email you a notification that you requested an audit, and that the results are complete and available on-line.

Advanced audit subscribers have a default of 2 channels available, meaning that they can run 2 audits simultaneously. Both Advanced and standard audit subscribers may purchase additional channels allowing for conducting audits of larger networks faster.

What is CVE?
CVE stands for Common Vulnerabilities and Exposures. It represents a standard way of numbering and describing known vulnerabilities. The scanning engine we use includes CVE identifiers where available. Our test reports include these identifiers linked to the official CVE site located at cve.mitre.org.

All our tests now include, when available, related on-line cross-references, providing additional information on those vulnerabilities. Such cross-references include:

There are over 10,000 on-line resources available associated with the various CVE identifiers in our tests. You can search our database for tests by CVE or CVE candidate number.

What are channels?
Channels are how we manage audits. Each channel has the ability to process one audit request at a time, and each audit request will usually take no more than 50Kbit of bandwidth. Advanced monthly/yearly subscribers by default have 2 channels available to them, meaning that they can run two audits at a time. Dedicated server leases include 50 channels per server, while all other customers have one channel by default available to them. All customers may purchase additional channels to allow for auditing larger networks more quickly.

What are well known services and ports?
Well known services are are services known to customarily exist on specific ports. This is different from the definition of a well known port, which is the port range 0 through 1023. From IANA's web pages, the port definitions are as follows:

The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports.
  • The Well Known Ports are those from 0 through 1023.
  • The Registered ports are those from 1024 through 49151.
  • The Dynamic and/or Private Ports are those from 49152 through 65535.

The ports we audit are all well known ports (1-1023), along with about 500 ports in the 1024-65535 range. These additional ports consist both of legitimate services as well as commonly known trojans.

To see the IANA well known ports that have been assigned, check out their site at www.iana.org.

Why don't you always scan all TCP and UDP ports?
To scan all possible ports would involve scanning over 130,000 ports. While that would be thorough, there are a number of problems associated with doing this:

Our methodology is to ensure we provide accurate results, and because the last two items make it either difficult or impossible to perform effective full UDP port scans, we have elected to limit UDP scans to checking for services (e.g. trojans) residing on known UDP ports.

Why are you using cookies?
Cookies are a way that a web server can store, either temporarily or for longer periods of time, information about you, the user, on your own browser's computer system. We use cookies to manage and secure our login and session management process ONLY. The cookies we generate are never written to your disk cache. They will only ever be transmitted over secure SSL connections, and we never use them for any reason other than to do login session management. You will have to enable cookies, and accept the cookie "asaut" (if your browser is prompting you for acceptance) in order to be able to successfully use this service.

Why did you falsely detect application X to be vulnerable
We often get questions such as "You indicate my SMTP server type <somename> is vulnerable, but I'm not even running that server. What gives?"

We detect vulnerable applications in one of two ways. The first is banner checking, where the application in question will tell us that it is version X. When we know version X is vulnerable, we report that. This is however susceptible to banner fiddling - if you change the banner string reported, we might produce an erroneous report. There is also the issue that many Linux distributions will maintain a version of an application, introducing security fixes with patch levels that leave the base version number the same. In these cases, we may erroneously report your server as vulnerable.

The second method of checking involves actually TESTING an application's vulnerability by injecting a benign payload of data that is known to cause the application to crash, produce an error, or some similar, measuable activity. In these cases, we are checking to see if the application behaviour is consistent with that of a vulnerable application (e.g. it closes the socket connection because the instance crashed). This method can detect vulnerabilities in application OTHER than the version in which it was originally found. It does, however, suffer from a key weakness in that some applications (notoriously SMTP and FTP servers) will rather than return an error message on an invalid data payload, will instead simply detect the bogus data and close the connection deliberately. This, from our perspective, is indistinguisable from an application crash, and can result in false positives being reported.

Can you provide some testimonials or references?
We recommend you visit our testimonials page. This documents our position on this subject.

Questions and Confidentiality
We fully understand the importance of confidentiality and the privacy of your audit information. If you have any further questions, please drop us a line at contact <at> securityspace <dot;> com.



© 1998-2024 E-Soft Inc. All rights reserved.