Windows 7: For better security, ditch the automatic tools

I'm often paid to run expensive vulnerability scanning tools against hundreds or thousands of computers. Whereas vulnerability scanning has much value, I find that my manual reviews of those same assets usually reveals things that the automated scans do not.



Automated scanners can only find what they are pre-programmed to seek -- no more, no less. But we humans are good at spotting seemingly innocent-looking yet out-of-place details, then following the intuitive trail to the root cause. When I'm asked to run both an automated vulnerability scan and a manual scan (which is most of the time), I always find more interesting and high-criticality issues using my own forensics analysis.

For example, many times I've found compromised computers with hacker tools sitting in strange directories on the hard drive, malware that is undetectable to the organization's antivirus scanner. Recently I found a remote access Trojan disguised as the client's antivirus software process, but it started from a popular browser's temporary file storage location. The automated vulnerability scanner tool had missed the malicious bot, but my interest was piqued by the fact that two antivirus processes with the same name were running at the same time. I thought it was a common type of memory bug until I saw the strange location.