Security Scanner and Monitor User Guide

Introduction

  1. Welcome to Website Security SCANNER and MONITOR by H-X Technologies! These professional automated services are designed for protection of your websites. This Guide will help you to use our services in the best possible way, even if you are not a cyber security specialist.
  2. First, if you have not read the Frequently Asked Questions page, we suggest you to do that, because it contains some important initial information about information security assessment and information security vulnerabilities, also known as technical vulnerabilities. Then you can look through the Wikipedia page about the computer vulnerabilities. This knowledge will help you to use our services optimally, however they are designed also for beginners.
  3. Website security vulnerabilities is a kind of computer vulnerabilities, which can be present in the source code or configuration of your web pages, web server, web applications, databases, database engines, backend application, etc. Your website can have security vulnerabilities, even if nobody knows about that yet. It is always better when the provider of your website components or the security researchers find the vulnerabilities before the hackers (Darknet, black market, etc.) do. However, sooner or later, any vulnerability becomes known to the security researchers, – before or after the hackers exploit this vulnerability for their attacks. The security researchers update special vulnerability databases, knowledge bases, security scanners and scanning engines as soon as possible, to help us uncover whether your websites are vulnerable or not.
  4. Our Website Security SCANNER and MONITOR are using several vulnerability databases and scanning engines to help better detect various website vulnerabilities. Some of the engines are Nikto, SSLscan, DNS Bruteforcer, DNS Zone Transfer analyzer, DNS Harvester, Robots.txt Analyzer, Bruteforce predictables discovery, Sqlmap, Wpscan, Joomscan, etc. You do not need to install these engines on your computer, configure, schedule or run them manually. We do this for you. Moreover, we continuously monitor the security of your website and notify you, when its vulnerabilities increase or decrease. Now let us see how to use these services.

How to use the Website Security Scanner

  1. WEBSITE SECURITY SCANNER (Vulnerability Scanner) provides a free on-demand automatic analysis of your website.
  2. In short, just go to the Scanner Home, select QUICK SCAN or NORMAL SCAN, paste your website URL (address), type your name, email, and click the checkbox that you agree with the Terms of use and the Privacy Policy, check the ‘I'm not a robot’ (CAPTCHA) checkbox, click ‘Start scanning’ button and follow the instructions.
  3. What is the difference between QUICK SCAN and NORMAL SCAN? Quick Scan takes only 5 minutes, does not need an email confirmation, but gives very limited and unreliable results. Normal Scan requires that you read an activation email notification and click the activation link in it. The Normal Scan can take several hours, but gives more results, including convenient report.
  4. Why do you need to notify your website hosting service provider about the vulnerability scanning? Sometimes the providers block vulnerability scanning attempts. Of course, it is good for you, because the provider probably will block the hacker's attempts as well. However, what if hackers will use more sophisticated methods to circumvent the provider's security controls? Never rely on a single security layer! Your website should be secure itself, independently from any provider. Thus, we recommend to make an exclusion for our scanner in the provider security controls like WAF or IPS, to get more objective information about the security of your website itself, and not the security of your hosting provider. Another consideration of notifying the provider about the vulnerability scanning is that sometimes (very rarely) they may consider the scanning a real attack and complain. According to our Terms of use, the users and not we take responsibility for the vulnerability scanning. Therefore, if we get any complaints, we will have to redirect them to the user who started the scanning.
  5. Since we send many activation emails, reports and notifications to the user mailboxes, sometimes these emails fall into the Spamboxes. You should always check your Spambox for our messages not to miss them. You can use the ‘Not Spam’ or similar button of your email client to prevent further false spam filtering.
  6. What if you receive our Scanning Report stating that your website is potentially VULNERABLE? Well, don't panic! Not every vulnerability is exploitable and dangerous. You should show the report to your information security analyst, or at least to your technical support to verify and evaluate the vulnerabilities. It is very common for any vulnerability scanners to give false positives. We always insist that any scanning results should be verified manually, and we can help you with pleasure.
  7. What if the Report states that your website is potentially PROTECTED? Well, do not relax! There is no omniscient vulnerability scanner, and never will be. However, our scanning engines are constantly learning. Try to scan later, and you may get different results. Tired to start scanning manually? Then you need our Vulnerability Monitoring Service described below.

How to use the Website Security Monitor

  1. WEBSITE SECURITY SCANNING MONITOR is a useful subscription service, which uses the Security Scanner engines to perform daily scanning sessions, tracks your website vulnerabilities over time, and notifies you when the vulnerabilities are increased, decreased or changed. Since the Monitor is based on the Scanner, you can use the above instructions and your experience with the Scanner while working with the Monitor. Namely, form filling, hosting provider notifications, spambox checks, report handling, etc.
  2. To use the SECURITY MONITOR, go to the Scanner and Monitor Home, fill in the form just like for the Scanner, but click the ‘MONITOR’ radio button. The ‘Period’ drop-down menu will appear, so that you could select the needed monitoring timespan – one or several months. After clicking the ‘Start scanning’ button, you will receive the activation email notification. Please notify your website hosting provider about the vulnerability scanning, and click the activation link to go to the subscription payment page.
  3. On the subscription payment page, you will see the information about the subscription parameters, charging amount, etc. and the invitation to continue the payment process. As we do not have any access to user VISA/Mastercard payment card data, all payments are processed by the professional processing center. Immediately after the successful payment, the monitoring is activated, and the first scanning session is queued.
  4. In the activation notification email, you will get the information about your subscription, and, among other, the link to your monitoring dashboard.
  5. Do not forward to anyone and keep notifications and other our emails confidential not to allow unauthorized persons to access your dashboard and information about the vulnerabilities!
  6. After the first scanning session is completed, you will receive the corresponding report with information about current security status of your website. This report is very similar to a usual SCANNER report described above. Particularly, like any report of the vulnerability assessment solutions, the Monitoring reports may contain false positives.
  7. One of the main ideas of our MONITOR is that the notifications should not be sent, if there are no changes to your website vulnerabilities. For example, if you analyzed the report once and decided that some of the findings are false positives, you will get a new monitoring notification, only when the new vulnerabilities appear, or the existing vulnerabilities disappear. However, you can open your daily monitoring reports from the monitoring dashboard whenever you want within the retention period.
  8. Please note that when your website or its components are temporarily or partially unavailable to our scanning engines, they may get less information about the vulnerabilities, so a false notification about a security improvement is possible. Monitoring makes confirmation scans, but you can also compare several reports from different dates by yourselves to verify the vulnerabilities.
  9. If you are going to make sufficient changes to your website such as migration or website engine change, we suggest to pause, at least a day beforehand, the vulnerability monitoring using your dashboard. After the changes are done, resume the monitoring.

Start Security Scanning or Monitoring of your Website.