At this point, we believe that we have developed approx. 80% of the core functionality, this includes:
- Binary to collect data on the client system
- Scheduling of the binary
- Data collection and parsing from the binary
- Authentication and account management
- Backend for curating data about software and vulnerabilities
- Processing of the collected data / matching with the curated data
- Optimisation and testing of the binary
- Curating data
And loads of more stuff, but first we need to finish the above and get an alpha version out to you.
Please see this announcement about the Alpha:
I am confident that VulnDetect will be the best product on the market!
Today we stopped maintaining rules in the CARMA and instead started maintaining them in the VulnDetect.
The VulnDetect is currently running in a test environment and we have invited a few to test it.
We expect to deploy the VulnDetect (alpha) to the live site on Monday or Tuesday.
I just want to let you know that we are progressing aggressively at the moment.
However, the visible changes are still waiting to materialize.
On the back-end and the rules we have changed significant things lately, most of which doesn't benefit the CARMA, but it will prove valuable in the upcoming VulnDetect.
One of the significant changes that we've been working on is to support "Product Channels". Some vendors offer stable enterprise releases, normal releases, beta releases, nightly builds and so on.
Many of these "channels" are not relevant for most users, but those who do use beta and other pre-release products still expects VulnDetect to detect these products (albeit we can't track the security state of these).
In order to avoid inaccurate results, due to incompatible versioning and lack of security information for some of these beta and pre-releases, we have decided to treat them as "Product Channels".
Practically, this means that the VulnDetect will report the installation / presence of e.g. Chrome Canary as a separate product, and it will report the state as "Unknown" or "Untracked", since Google doesn't provide security information for Canary release.
And the "normal" releases of the Chrome browser will be reported and tracked as a regular program, with a security state.
A similar approach will be taken with e.g. Firefox ESR, Firefox, Firefox Beta, Firefox Nightly, Microsoft Office (Monthly, Semi-Annual, Insider, and so on).
Right now we continue our work on the back-end and the UI of the VulnDetect. With regards to rules, our primary focus is maintaining current products and updating them to support the channels.
Once we've given all the rule sets and channels an overhaul, we will get back to adding detection of new products.
Snorre last edited by
@tom THX for the detailed answer. I am really looking forward to have a product which can tell me if I have vulnerable software installed (for me an my family).
The changes to the back-end had a significant impact on the results in the CARMA.
This has been fixed, but it requires a new inspection, before the results are updated.
We have a bit of a backlog on rules, so the state of certain products, including Adobe and Microsoft products, is not accurate. This will be fixed soon.
Our primary focus now is to prepare the release of the VulnDetect.
We are currently releasing a new (and presumably final) release of the back-end for the Personal CARMA Tech Preview.
This release is likely to break some of the current rules and even some of the new rules that will be added, because the UI of the Personal CARMA Tech Preview doesn't handle the new result sets correctly.
This will not be fixed before we release the Personal VulnDetect (Alpha) later this week or next week.
So please be patient.
We will announce when the Personal VulnDetect (Alpha) is available - at which point we also will close the Personal CARMA Tech Preview for good.
@Snorre I helped adding products to the database so I can tell you that there were many issues where SecTeer needed to find a good concept (a concept how the rules must be built so they work without needing manual adjustment).
But the problem is that there are many applications that store the version info anywhere but not where they should.
So there are many rules to treat those apps...
@snorre I can't give you any very exact estimates on the state of the product going forward.
Now we have been in "Tech Preview" for 3 months, and I believe that we are ready for (early) Alpha next week. We presume that Alpha will be the right label for at least a couple of months, perhaps even to the end of the year.
And Beta quality should be realistic before the end of the year. Once we reach Beta, I think it is viable for most users, except the most novice.
When it comes to labeling the solutions as Alpha / Beta we like to believe that we are leaning towards the conservative side, but I'll let you be the judge of that.
Snorre last edited by
First i want to express that I like your work very much. As PSI, my favored personal security update assistant died, I was looking for a good alternative very long. VulnDetect (Carma) looks like it has the chance to be this product.
Therefore I would like to ask some questions about further development.
Do you have a time schedule or a roadmap where we can see how your further progress is planned?
Is there an estimated date when the product will be in a state where "normal" private users can install?
Which states are planned (alpha / beta / GA) and when?
Thanks for your work to help users to become less vulnerable!
This has been a great week. We have achieved a lot in terms of development, testing and generating content / rules.
And we expect to release the first Tech Preview on Tuesday (8th of May).
This is, as I have promised before, a very early stage of the product.
You will be able to install it.
It will scan your system and find around 20 of the most common programs on your Windows desktop.
You should note, that there is no direct communication between the user interface and the agent. This is very unlike the PSI, which was a local program, that talked directly to the agent and could do "live" scans. This will be changed, but it is a low priority and will not be made before later this year.
Also, patching, or auto updating, is not due to be implemented before around August, give or take a bit.
In the first two or three weeks (maybe more), you should not rely on it to provide a reliable reporting of Safe / Unsafe programs.
But we need you to install it anyway, so we get data to generate new rules from. And we will work to improve rules and reporting everyday, from now on.
And remember, we do read all the posts and comments here on https://vulndetect.org - but we are not anywhere near being able to implement all the great ideas and feedback you have provided, yet. (but keep posting)
@vulndetect That is really good news, as I don't know of any scanner that was as good as Secunia PSI, and I'm holding out rather than going with a different one.
Stay tuned, we are almost ready for a tech preview. All the bits and pieces has been stitched together and we are running the first internal tests of the full setup. All looking good so far. Mostly lacking content.
Another very busy week.
And we are getting so close to a tech preview, we can literally taste it. Unfortunately, we won't be able to release today.
However, we are looking for 10 tech savvy volunteers who wants to test the very first preview (most likely) next week.
What you can expect as an early tech previewer:
- A raw command line install
- Detection of only a handful of software
- No patching
- Your data and account will (most likely) be deleted before we go to a public tech preview
By doing this, you will help us tremendously, as we can root out some early bugs and start adding more rules to detect software, based on your actual installations.
As you can sense, there is still a far way, before we have a product, that is as mature as the PSI 2 was, but we are listening to all the great wishes that have been posted here at vulndetect.org or received via email and we are piecing together a roadmap that we will be working on, once we got the fundamentals in place.
Please write directly to tom at vulndetect dot com to be one of the select 10 initial testers.
We've been aiming hard for a tech preview next week, coincidently, the 20th April, which happens to be the EoL date for the Secunia PSI.
I'm afraid we may miss it by a week, but we are making a lot of progress and will keep you posted.
Sometimes progress seems too slow. But the part about processing collected data and getting the rules right is essential to ensure accurate results, while we also must allow future performance optimizations.
We got a few breakthroughs in the past two weeks and we believe that we have a solid framework for this now, but we still have a lot of work to do.
We also got a bit further with the UI, the registration process, and some work on the infrastructure.
We expect to make the first (internal) test deployment in about a weeks time.
So a tech preview or early alpha still seems to be within range, before the Secunia PSI reaches End-of-Life.
We appreciate all the feedback we got so far, both via email and here on the forum. Feel free to write to us or post here.
Working hard on the processing of the collected data and the initial matching with data on products.
This is work in progress and will continue into next week.
We also started work on the UI.
The new forum setup on EC2 and the upgrade to NodeBB version 1.8.1 is ready and will be rolled out tomorrow, a default high TTL on DNS prevented us from doing it this afternoon, without unnecessary downtime.
Várom az alfa verziót: