September 8, 2010

Security vulnerability research firm Secunia has released a public beta of its Personal Software Inspector tool, a program designed to help Microsoft Windows users keep their heads above water with the torrent of security updates for third-party applications. The new beta version includes the promised auto-update feature that can automatically apply the latest patches for a growing number of widely-used programs.

Secunia first announced in March that it would soon make the auto-update feature available to consumers, noting that the average PC user needs to install a security update roughly every five days in order to safely use Microsoft Windows and all of the third-party programs that  typically run on top of it.  The new beta version doesn’t allow auto-updating for all applications, although Secunia says the list of applications that can be auto-updated through its tool will grow as the public beta progresses.

Overall, PSI 2.0 Beta seems to work quite a bit faster and use fewer resources than earlier versions. But my main concern in allowing third-party programs to update through PSI has so far been — ironically — relinquishing control over the update process. That’s because many “free” applications — such as Java, Adobe and Foxit readers — are free because a number of users never bother to deselect the check mark in the box next to offers to install additional software that is often bundled with these products, including virus scanners and various browser toolbars.

I am happy to report that so far this has not been an issue. On my test installation of the PSI 2.0 beta, it allowed auto-updating for 10 installed applications, including Adobe AIR, Flash Player, Foxit, Firefox, Thunderbird, Opera, Pidgin, Skype, Java, and xChat. The PSI tool updated all of those apps without any unwanted add-ons or toolbars that I can see.

Stefan Frei, research analyst director at Secunia, said the company wants to hear from users who receive more than just the security update.

“We always try to provide updates without unnecessary add-ons, but this is exactly the kind of of feedback we are looking for during the beta,” Frei said in an e-mail to KrebsOnSecurity.com. “So far we haven’t received any support cases indicating that we don’t hit it right on, but it is something we [are] aware of and will address if we receive any reports from users who find that it could be optimized.”

If PSI can’t auto-update any programs, it includes a clickable “Install Solution” link in the tool that fetches the executable update directly from the vendor’s Web site.

For those who don’t want to install PSI, Secunia makes available on its site an online version of this tool — Online Software Inspector — although the OSI requires users to have Java installed (PSI does not require Java).

If you’ve used the new PSI Beta, please sound off in the comments with your experiences.


60 thoughts on “Revisiting Secunia’s Personal Software Inspector

  1. Randy

    I installed it at home on one machine. I have the user setup as a local user and PSI <1.5.02 did not run correctly in this security context. I am hopeful that this version will run and update without needing to be a local admin.

    1. Rob

      I like PSI quite a bit, but I’ve always been confused by it flagging products that don’t appear to be out of date. For example it will sometimes suggest an update for Acrobat, but Acrobat’s internal updater will say everything’s up to date, which makes me wary of using the patches PSI directly links to.

      1. JCitizen

        @Rob;

        I’ve never received an update from Secunia that wasn’t needed, or not out of beta yet. The fact that you relate how early you can get these updates by skirting the johnny-come-lately built in updater, is all the more reason to use it.

        This can lower your zero day profile for vulnerability attacks. I also once saw File Hippo’s update checker beat Secunia by five days! This is an advantage not a disadvantage. We have been using these utilities in the IT industry for some years; it is not like they don’t have a reputation to uphold. I trust them a lot more than the vendor company and their applications that they support!

      2. Wladimir Palant

        I think I had only one case where PSI had a false positive and showed a fictional update. Clicking the forum link clarified the situation immediately and the issue was resolved a few days later. However, I did have a few occasions where the built-in updater of an application wouldn’t find an update that did exist – Foxit Reader has this problem occasionally.

      3. John Dough

        @Rob
        Sometime it will hit earlier versions of a file that is no longer used but is still on the drive. You may need to verify where the files is located and if it’s just leftovers from a previous installation.

  2. Mr. X

    PSI 2.0 beta is becoming my proxy for getting applications updated for PCs belonging to relatives when I cannot be there. I really like the new interface.

  3. fsr1

    1.5.0.2 problem is XPSP3 problem (known), however i have been unable to run current beta release either on XPSP2 and on VistaSP2, but on my XPSP3 runs fine. Anyways i already reported it.

    1. Brian Krebs

      At the risk of inducing a flame response, how come you’re still running XP SP2? You are no doubt aware that MS is no longer releasing updates for that, right?

    2. JCitizen

      @fsr1;

      Hmm! I’m not having any problems on any of my clients machines, on any version of Windows past XPSP2!?

      Maybe malware have become Secunia PSI “aware”; it is a known fact that many of the new malcode are programed to assess the situation by scanning to see what is installed on the PC and attempt to thwart the AV/AS code’s system folder, settings, or downright uninstall the security application all together!

      I’ve had malware turn protections off on very good security utilities that did not have their settings console password protected. Usually a good info-sec utility can not be manipulated in a restricted account anyway.

  4. Alan

    I have it installed or two home machines. I liked the new interface and the auto-updating has worked well so far. Anything that fixes the nightmare updating processes of Flash and Java is a miracle.

    At work I’m still on the manual process. Today Firefox reminded me that I needed to update Flash. So it went through the whole routine of downloading the Adobe download manager and then trying to install Flash. Adobe’s software claimed the update was successful but Firefox says the version still needs updating. Ugh!

    PSI 2, as was the case with the earlier version, does need to run as Admin which isn’t a great surprise given what it does. At home I’m using W7 and I’m logged in as standard user most of the time (that’s true standard user; not W7’s default Admin Approval Mode / UAC mode). So I either have to start PSI with admin credentials (over the shoulder mode) or I have to login into an AAM account occasionally.

    1. Jonathon

      I have often had that same trouble updating Flash. Adobe *really* needs to address that issue. I believe the problem is that their “version check/update” page does not really check for the latest and greatest. While PSI and Firefox’s plugin checkers actually do.

      I’ve had the most success downloading standalone Flash update packages from FileHippo.com. Remember that you may need to update Flash twice, once for Firefox and once for the ActiveX version that IE (and other apps) use.

      1. Alan

        It think you may be right about the version check/update not being up-to-date. Adobe seem to have problems figuring out how to do security. I ended up just running OSI and then using the download links for the regular and active X files and then manually updating. That seemed to work but unless you are some sort of security wonk you’d just give up at the first hurdle, if you even bothered to patch in the first place.

        The other issue with Java and Flash is that you often end up with older, orphan versions. I don’t know about the new version of PSI yet, but the old version was good at tracking done old installations and files and exterminating them.

        1. JCitizen

          @Alan;

          At least Secunia PSI usually has a removal link for any utility that is known to leave older files behind. And even then, it lists the file path of the obsolete execution file so you can delete it yourself!

          I always check CCleaner to make sure I can’t get rid of remnants that way, but sometimes you will find an uninstaller in the same folder as the offending/obsolete file.

    2. David Chasey

      I’ve not yet installed PSI 2, but I’ve been using PSI for quite a long time, on an XP and Windows 7 computer. (A great program.) At least with PSI there is a way to get around running it in the Administrator mode.
      DO THIS: Log-in Administrator mode, PSI will be running. Then change to limited (XP) or standard (Windows 7) and PSI will continue working. I do this every morning when I turn on my computers. During the day and night, instead of turning off I hibernate the computer. Turn it on again in limited or standard mode and PSI still works.

      1. gtodon

        This doesn’t work for me. I’m also using XP, and when I log in as an administrator, then change to a limited account, I actually REMAIN in an admin account (with all its rights, privileges, and hazards) until I reboot or log off and on again. Hibernating isn’t enough. So, as you say, PSI continues working, but that’s only because I’m still in an admin account.

        I wish there were a way around this. I can either run PSI constantly in an admin account, or run without it in a limited account. Anybody got a solution for this? Brian?

        1. Alan

          I think this would work for me as I’m on Windows 7. PSI is activated by the Windows Task Scheduler. I wonder if there’s a way to reconfigure how the task runs so that it will run even if you are just logged in as standard user. If you search their forums there is some discussion of this but the Secunia support people on the forums haven’t been very helpful on this score.

          Tonight I got home I logged in as a standard user then switched to an admin account and watched as PSI detected today’s Mozilla Thunderbird and Firefox updates as missing, then automatically downloaded and installed them automatically. Nice! The Thunderbird one was marked something like “delayed install” after the download and then I realized I had it running on the Standard account. After I switched over, shut it down, switched back, the install continued.

        2. Gabriel

          A great question. That’s what I have been struggling with the older version. You HAVE to be in Admin mode to run it. Every time I boot up my machine, and log in as a standard user, PSI won’t run. I have to manually invoke it. I hope Secunia can address this basic issue, especially because anyone who is concerned about security would be expected to be running as a standard user! It’s amazing how a security product would be so oblivious to such a common sense issue!

          1. Alan

            PSI is a great tool but the catch–and it’s a big one–is that users nees to be logged in as admin admin (unlike Windows Update, at least in W7).

            The automated feature in the new version is largely irrelevant if you want to adhere to the principle of least user privilege because to adhere to this principle you need to run PSI manually on an admin account periodically while using a standard user account the rest of the time.

            PSI protects you from vulnerabilities for which patches exist and exposes you to vulnerabilities for which patches don’t exist if you normally run as admin (XP) or using the default admin approval mode account on Vista and W7.

            Here’s what Secunia promotes in a corporate environment (emphasis added):

            “The Secunia CSI now integrates with the Secunia PSI. The integration enables you to create a custom Secunia PSI installer that will automatically configure the Secunia PSI installation to post data to your Secunia CSI account. Effectively allowing you to monitor and track the security and patch level of computers that are not directly under your control and WHERE THE LOCAL USER HAS ADMINISTRATIVE PRIVILEGES.”

          2. Alan

            Secunia Official on the PSI 2 Support Forum:

            “Currently, as mentioned, the PSI must run as the administrative user….However, we… see how this could limit usability and security. The fact that the PSI requires administrative credentials to run is considered one of the issues we will look into solving with the PSI 2.0 Beta.”

        3. JCitizen

          Dear gtodon;

          You are right for XP this is vexing. I have learned to NEVER use “Run As” in XP! Doing so wakes up every dormant malware existing on the account and takes over the PC instantly!

          Now whether XP has permissions locked down better now; I don’t know, and don’t plan to find out!

          However for Vista/Win7 it is a piece of cake! Simply right click the desktop icon for Secunia(placed there by administrator) and select “Run as administrator” and Secunia PSI runs happily that way.

          It is way easier than logging off and logging in as administrator, in my opinion.

          1. JCitizen

            @Alan;

            Thank you for that link! I agree with the author on his observations about the UAC “feature”.

            However, since I password protect the console of security products that I update during “over the shoulder” events, I haven’t had any trouble with malware taking control over the individual utility that I am updating. However – I have had malware reconfigure consoles that WERE NOT password protected while in over the shoulder sessions.

            So yes – this UAC feature has it’s limits to total security; and if fact there is no such thing.

    3. Ridge

      When I heard about PSI, I wondered about updates as Admin or Standard User. Seems to me a work around would be to disallow its insertion as a service or run at start up. Create a shortcut with the “RunAs Admin” script, put the shortcut link in the All User Start Up folder. Then at boot, PSI would start with Admin rights and be able to install all updates.

        1. Ridge

          * Create a normal Short-Cut to psi.exe (c:\program files\secunia\psi\psi.exe) on the desktop.
          * Right-click the short-cut and select Properties.
          * In the Target box, insert the following before the path to psi.exe.

          runas /savecred /user:administrator

          * Double-click the new short-cut, and enter the administrator password.

          Next time you run this short-cut, it will start psi.ese as administrator automatically without prompting you for any credentials. If you want psi to auto-start when you logon, move this short-cut to your “Startup” folder in the All Users>start>start up folder.

          If you boot into any account, a commandline window will appear on boot and ask for Admin PW. Once given, PSI will run in the background with Admin rights and be able to install all updates with those rights.

          I’ve done it, it works. This is suitable for a stand alone machine with good protection. As noted, Runas is a powerful tool and subject to hijacking.

          1. JCitizen

            Very true;

            “Runas is a powerful tool and subject to hijacking.”

            At least the way you configured it Ridge, it is only likely that PSI would be highjacked. I’d hope that would be a minimum risk as far as most programs go.

            Probably well worth it, especially if backed up by other update checker(s).

      1. Alan

        The RunAs solution probably works fine for people who frequent this blog but if you are using PSI at home, it’s intended use, presumably you may be managing a small network used by kids and others who aren’t very computer savvy. I don’t want my kids using admin privileges in any way. I want them running as standard user and their software fully patched without having to go through the weekly nightmare of manually installing the weekly Flash patch etc. on multiple PCs.

        1. Ridge

          Alan-

          I might argue the opposite. In an Enterprise or Institutional environment, access to that file and folder could be numerous. In a SMB or home, with a single Admin, it could be restricted.

          Win7 blocks that folder except for an Admin rights account. Not sure about Vista, but in XP you could hide the “system files and folders” . You might also rename it to some innocuous system name to disguise it.

          But if the users have enough smarts to un hide folders, login with Admin rights, run MSCONFIG or other start up monitoring programs, examine obscure start up links and use the info in them …..then they probably have total control of the machine anyway.

          If they aren’t that advanced, then you could probably use the above method with relative safety.

  5. Troy

    Thanks for the heads-up, Brian– your fear is actually what (would have) held me off from trying the new beta and that being adding stupid toolbars and gadgets. Glad to hear that, so far, that is not the case.

  6. Chris

    Most public and private sector entities have patch and vulnerability management programs to find and fix problems before they are exploited. However, those important capabilities are lacking in the home user space, where they are arguably needed just as much – if not more. I commend Secunia for continuing to develop and a support a great product that can be used by the average Joe without lots of money to throw at the problem. Running PSI should be on every security professional’s list of awarneness best practices for the home environment.

    1. Jonathon

      I am looking in to getting Secunia’s Corporate Security Inspector (CSI) (not free) for our organization. I wanted to get it this year, but the co$t has made us put it off until next year.

      1. eerms

        the price of the CSI is a much too high especially for small businesses around the world.
        I would get the funding if maybe the price would be 25% of what it is now. it’s pain in the a** to run around once a week and install patches for 30+ computers, but it’s what I do and it’s much much cheaper even if I would ask to double my salary for the time I spend on updates.
        banks of course can of afford CSI but they are not the only businesses that need high security environment.

  7. JCitizen

    Very true Chris; and I want to commend Brian for revisiting this handy utility, and making the public more aware of it’s usefulness!

    This is just one reason I keep harping on everyone I meet, to visit this site, if they know what is good for them! ; )

  8. Edmond

    im trying to find a similar app but for drivers, is there any of industrial quality out there Brian?

  9. joe53

    I’ve used PSI since it’s original beta versions on XP/sp3 with no problems.

    I tried PSI 2.0 Beta, and ended up reverting to v 1.5 mainly because 2.0 eliminated the “Secure Browsing” tab, that alerted me to unpatched vulnerabilities in my browsers, rated by criticality, and with links to Secunia’s advisories.

    Admittedly not the primary function of PSI, but it was a feature I found useful.

  10. John

    For a long time I was using PSI but then I switched to File Hippo about six months ago for two reasons: it uses less memory and they were faster at offering new updates than PSI. I have File Hippo set to run automatically on boot-up. File Hippo doesn’t have an auto update feature like PSI but I suspect most readers of this blog would prefer to make choices themselves.

    I second Edmond’s comment — a program for driver updates would be nice as these are really hard to hunt down.

    1. JCitizen

      @John;

      Most IT departments don’t need an “industrial” quality driver alert, because they buy OEM equipment that provides them with that capability. Even some peripheral device manufacturers include auto alert/update functionality.

      As far as drivers for applications – those come with the updates to those applications, so are already covered by software mentioned in this discussion.

  11. David Chasey

    How much memory does the always running PSI.2 use? More than PSI?

    1. Heron

      I, too, would like to know if the new beta version of Secunia uses more memory. Has anyone looked into this?

      1. JCitizen

        All of my clients are running with over 1Gb of RAM, so this is not a concern for them. Since PSI does not run in standard accounts, it only affects administrator duties. However I never notice any performance problems, unless you like fast restarts.

        I exit PSI and only use it when I need it. It runs so fast, that I see no reason to leave it running at all times. If it would run all the time in a standard account, the resource hit would be well worth it – IMO.

  12. Wladimir Palant

    My main concern about the auto-update function (and also the reason why I didn’t try PSI 2.0 so far) is its reliability. Does Secunia use the updater which comes with the application (and is usually pretty well-tested) or do they run some own code to update the application directory? If it is the latter I would be very concerned that something gets messed up in the update.

    1. JCitizen

      @Wladimir;

      So far I’ve had LESS trouble updating with PSI’s updates than with the built in versions for the respective applications!

      I’ll take less hassle anytime. I do run a honeypot lab, and I have seen malware try to exploit various applications or plug-ins on a standard account. So far they have lost hands down!

      It is amusing to me to watch this process, when I happen to be there to witness it.

  13. Carl Thomas

    I’ve tried PSI as well on several occasions. I dropped it for several annoying problems.

    First of all, if you use any Windows CE based device and related programs or portable applications, PSI cannot handle these programs properly and continually flag them as outdated even if they are not.

    Secondly, if you try to go through and create exceptions for these programs, you can only do so if you are connected to the internet. The reason is that PSI phones home to setup the exceptions. Evidently this is due to the fact that your exceptions are not stored locally. This is simply unacceptable.

    I also use File Hippo for program updates. So far, it has notified me of program updates of major programs very efficiently and they even have a portable version of the updater.

    1. JCitizen

      File hippo can be a good way for easily updating popular applications, and can keep you safe, providing the update isn’t insecure as well.

      With Secunia PSI, the system administrator can make a decision to disable or uninstall programs that simply don’t have a secure solution to the problem. This is valuable knowledge!

      Many times I simply get rid of applications that are insecure, until I need them; and usually a web reminder will let me know it is time to try a new plug-in or other application. For instance – you know you need java when you see the coffee cup symbol in the web page, with a download reminder. This is not a hassle for me.

  14. xAdmin

    PSI can be a great tool for your average PC user in helping them stay current with patches. The same isn’t necessarily true for IT folks…

    I tried PSI 1.5 version a while back and couldn’t justify using it for my setup. Haven’t tried the new beta version for the same reason. Also, I stopped messing around with beta software a while ago in order to keep my systems in a more pristine state.

    The main reason I couldn’t justify using PSI is because my systems don’t have much software on them due to the strict policy I follow in limiting what software is installed to lower the attack surface of the system and to minimize patching. Also, I really don’t like programs running in the background and since I am always logged in as a non-admin (limited user), PSI wouldn’t be of any value running in the background anyway as it requires administrator access to do its thing. The only time I typically login as an admin is to install patches or run administrative maintenance tasks (ex. disk check, disk defrag, etc.). Also, as to patches, I prefer going directly to the source to obtain them versus either getting them from a third party or being directed via a third party.

    Since I have a very tight control over the software on my systems and their overall configuration and can easily stay current on patches, all PSI really gave me was a double confirmation that my system’s were fully patched.

    I prefer to stay up to speed on what patches are out while logged in as a non-admin (by visiting vendor and security websites). Since Microsoft releases patches on the second Tuesday of every month, baring a rare out of band patch, it’s easy to stay up to speed on their patches. The only other patches I need to stay up on are Foxit Reader and Flash Player which again are easy to manually check. Foxit Reader doesn’t require admin access as I just download the exe file, rename the old one (for backup purposes) and copy the new file over. When there’s an update for Flash Player, while still logged in as a non-admin, I always download the uninstaller (http://kb2.adobe.com/cps/141/tn_14157.html) first, then download the exe installer for IE (http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_ax.exe), save them both to a central location to be used on multiple systems. Once logged in as administrator, run the uninstaller first, then the installer, finally verify the installation (http://www.adobe.com/software/flash/about). Most of the time Flash Player updates are released around Microsoft patch Tuesday, so I’ll do them all the same day and be done with patching and log back in as a non-admin.

    As such, patching for me is typically a once a month task that takes at most an hour total to complete (multiple systems).

    Sorry for the long post, thought it may be beneficial to some as to my setup and process. 🙂

    1. David Chasey

      Thank-you for the update links, xAdmin. Just what I’ve needed.

  15. Chris

    As a self employed individual, my problem with PSI can be found in the license agreement:
    “It is strictly prohibited to use the Secunia Personal Software Inspector on systems, which are owned or operated by companies, organisations, educational institutions, government entities, or other commercial or non-commercial entities.”
    I find this frustrating, since it prohibits me from using it on the computers I use for work. Instead I must use one of the paid versions. Other software vendors have similar policies — Mozy, for example, has a completely different pricing scheme for corporate use.

  16. Derek Godsell

    I’ve always used OSI for many years and now really like the newer PSI2. Just a bit disapointed that PSI missed three udates that FileHippo found – MagicISO, Speedfan and WinRAR. In a corporate environment maybe these three would not feature on any systems, but as a part-time developer they are fairly important to my work. Maybe I’m wrongly assuming PSI is aimed at my type of customer base?

    1. JCitizen

      Dear Derek;

      Secunia PSI is only interested in applications that have known vulnerabilities. You are simply jumping the shark using FileHippo’s updater. The problem is – even the FH updater can have vulnerabilities in it, and Secunia has pointed that out at least once!

      Otherwise, what is not to like about using both? You may get up to five day lead on zero day vulnerabilities with FH update checker; if not, at least PSI lets you know about it. Secunia also lets you know about old remnants and software that is past it’s supported lifespan. This is still very valuable information, that File Hippo is not going to inform you about.

  17. Wladimir Palant

    Brian, sorry about commenting in this old blog post again but I only started using Secunia PSI 2.0 recently when it was declared stable. Yesterday was the second time it tried to auto-update something and it revealed a bug that I absolutely didn’t expect in supposedly stable software which went through a lengthy beta phase.

    It tried to auto-update my Foxit Reader which seemed to work – I opened a PDF file and Foxit confirmed that version 4.3.1 is running. Yet Secunia continued to claim that I have the outdated 4.2.0 version installed. When I checked I noticed that my Foxit Reader install was indeed untouched, instead PSI installed a new copy at the default installation path (I tweaked the installation path when installing). It also updated registry entries to point to the new install which masked the problem. Why Secunia decided not to use the application path that it clearly knows is beyond me (yes, I reported the issue).

    Either way, I removed the new copy, started the old Foxit Reader, confirmed that I want to set it back as the default PDF reader and installed the update through the built-in updater. This seems to have fixed the mess. I disabled auto-update for Foxit Reader and I will probably think twice now before allowing PSI to auto-update anything.

    1. JCitizen

      I think it is excellent you visit old articles; I’m sure Brian and all other subscribers like to keep up with changing developments.

      I can only say that Secunia is only as good as the installer that is supplied by the application. I occasionally get old version files left over as in Google Chrome. I simply delete the offending .dll or other execution file that is obsolete, and drive on. It will not matter then, as the old version cannot run, even if malware try to run it.

      You can always set the PSI console to notify; and uninstall previous versions yourself; this way these inconsistencies will be mitigated. The thing I greatly appreciate on PSI is the fact that it points out these inconsistencies as a threat, and they are!

      Before Secunia PSI rolled into town, I was ignorant of these problems, so I appreciate a tool that informs me of them!

      1. Wladimir Palant

        I was not arguing that PSI isn’t a great tool – it certainly is. I was only saying that the auto-update feature has to be taken with a grain of salt. In this particular case everything was pointing towards PSI just playing stupid, you actually had to check the files manually to see what was going on. The auto-update feature makes PSI great for installing it on computers of less experienced friends – but I cannot see how they could have possibly resolved this issue.

        Does PSI really use the application’s installer? My impression was that it simply installed the new files into the app directory and updated registry entries “manually”. If instead it runs a crappy installer like Foxit’s in background that would explain lots of things…

        1. JCitizen

          From what I’ve read elsewhere(ZDNet, CNET, TechRepublic); the installer package comes from the developer that issues the update. So far minus irritating add-ons like tool bars and such.

          I still like the auto-updater even if it is not successful in completely uninstalling previous versions. At least it saves steps in most of the process, and alerts me something is happening, so I can open it and double check.

          Whereas before, I might neglect to log onto the Admin side and run it there – completely unaware that a vulnerability is discovered or an update available. This gets things closer to zero day protection – IMHO

        2. JCitizen

          P.S. – the new feature prompted me to encourage my PC challenged clients to install Secunia PSI. Most of them had it anyway. If they ran into problems, I simply remote in and fix them.

          I have rarely had to do this. I can think of only two instances in fact. I was surprised that my normally clueless clients figured these things out.

Comments are closed.