Corporate Software Inspector: FAQ

Intelligent Security Patch Management

FAQ

Corporate Software Inspector (CSI) General

What is CSI?

All versions
Corporate Software Inspector (CSI) is an authenticated internal vulnerability scanner, capable of assessing the security state of programs that run on Microsoft Windows, Apple OSX and Red Hat Enterprise Linux (RHEL) computers, enabling you to fix the vulnerabilities before they are actively exploited.

What is vulnerability scanning?

All versions
A vulnerability scanner is a computer program designed to scan for vulnerabilities that are present within your network.

How long has Secunia and CSI been serving the market?

All versions
Secunia was founded in 2002 and aquired by Flexera Software in 2016. Today the research community includes leading security experts, system and network administrators, and our own website is visited by more than 5 million unique visitors annually. CSI has been a leading vulnerability scanner for the Windows environment since the beginning of 2008, and following coverage for Apple OSX and Red Hat Enterprise Linux (RHEL) has been added.

Is CSI a software solution or an appliance?

All versions
CSI is a software solution that has appliance functionality if needed. The agent can be installed in an appliance mode and perform remote scans of hosts.

My company already uses firewalls and IDS (intrusion detection systems). Why do I need a vulnerability scanner?

All versions
CSI is a proactive solution that can be used in addition to firewalls, IDS and other network security systems. It will help you secure and monitor your network against new threats that otherwise are not monitored.

Is CSI using remote or agent-based scans?

All versions
CSI can be designed to use either remote scans or agent based scans.

How often are signatures updated?

All versions
CSI file signatures are updated and maintained on a daily basis.

Is your product CVE compatible?

All versions
Yes. In each advisory presented within CSI there is always a link to the CVE reference.

What type of company is typically in need of CSI?

All versions
CSI is used across multiple segments, including the Fortune 1000, small to medium businesses, consultants and managed service providers. Regardless of the environment, the scalable, secure end-to-end solution is unchanged.

What is SPS?

All versions
SPS stands for Secunia Package System and offers increased scope and flexibility in terms of patching and configuring hosts. You can customise the language options of packages and thereby patch in multiple languages, or remotely uninstall applications, among many other things.

How can I use the agent to scan my Mac OS X hosts?

All versions
To scan Apple Mac OS X machines, you need to deploy the Single Host Agent locally on the target system.

The installation can only be done under the MAC Terminal, as the agent will be installed as a daemon (service) under the LocalSystem account.

Installation of Local Services on MAC OS X systems requires root privileges. The ‘root’ account is disabled by default on MAC systems; therefore you need to enable it in order to proceed.

CSI Agent for MAC OS X (csia) is a small, simple, customisable and extremely powerful CSI scan engine that offers a fully featured command line interface (CLI) to CSI scanning functionality.

This allows you to run CSI scans directly from the command line, or to launch scans by using CSI console.

You can download the agent binary under Scanning > Scanning via Local Agents > Download Local Agents.

How can I scan App-V applications on my hosts?

All versions
By first installing Microsoft Application Virtualization SFT View (http://www.microsoft.com/download/en/details.aspx?id=8897) on the selected host, CSI is able to scan the hosts for vulnerabilities in your App-V applications.

Can I create reports for my entire CSI environment?

CSI 5.0 & CSI 6.0
By configuring Users and Sub-Users under reporting you are able to create reports for your entire CSI environment.

Is it possible to extract custom made reports from CSI 7?

CSI 7.0
Use the database Console page to access the SQL database. You can access the content of each table by selecting the table name in the Tables pane. Expand the table name to view the objects and data types within that table.

To create an SQL query, right-click a table and select Show Data to automatically create a SELECT * FROM table query from the specific table. You can also right-click a table and select Schedule Query to create a scheduled export for the table and save the output to a CSV file.

The Details and Results panes display the status of the query.

How can I change the configuration of my connected Personal Software Inspector (PSI) hosts in CSI?

All versions
With PSI Integration you can change auto-update configuration, check-in, scan frequency and are also able to approve updates.

How does SPS work?

All versions
By default SPS will execute a selected patch (.exe, .msi or .msp) with silent parameters but you are also able to create your own customized SPS package with multiple files in JavaScript and VBScript or download an already created SPS package from our Community.

How do I delete outdated and duplicate hosts?

All versions
By creating a Rule under Database Cleanup you are able to delete hosts that have not been active for a specific amount of days, weeks or months.

Why do I sometimes get Partial scan status in my completed scans?

All versions
CSI scan consists of 2 parts; the first part is third-party applications that CSI scans for, the second part is Microsoft patching status that CSI gets from the Windows Update Agent (WUA). If the second part of the scan is not successful you'll get a Partial scan result.

Can I scan Max OSX and Red Hat Enterprise Linux with remote scanning?

All versions
No. You have download and install appropriate agent to scan Mac OSC and Red Hat Enterprise Linux.

Evaluation

Is it possible to evaluate CSI?

All versions
If you wish to evaluate CSI, please complete and submit the Corporate Software Inspector Free Trial form.

How do I contact customer support?

All versions
Flexera Software support contacts

Installation & Installation Requirements

What are the minimum system requirements for running CSI?

All versions
Those can be found here.

On what operating systems does CSI run?

CSI 5.0 & CSI 6.0
CSI supports the following OS: Microsoft Windows XP, 2003, 2008, Vista, and Windows 7.

CSI 7.0
CSI 7 will run on any system that has a web browser

Does CSI run on VMWare?

CSI 5.0 & CSI 6.0
Yes.

How do I install CSI on Windows?

CSI 5.0 & CSI 6.0
Once CSI download has completed, start the installer and then start the product. Provide your user name and password that was given by your account representative. When the installation is complete you can start configuring your scans.

CSI 7.0
CSI 7.0 requires no installation, just plugin, deamon and agents.

How long does a typical scan take?

All versions
This varies depending on hardware and size of the local disk, but will usually take between one to three minutes if using scan type 2 (all local paths).

How does CSI ensure efficient bandwidth utilization?

CSI 5.0 & CSI 6.0
CSI is a light weight non-intrusive scanner that has been optimised to give minimum footprint on network utilisation. With guidance from a solution specialist each customer will be trained in how to optimise the scan process according to their network design and capability.

What ports must be open in my firewalls for CSI to function?

All versions
Please read the system requirements here

How do I get CSI to start automatically on Windows?

CSI 5.0 & CSI 6.0
You can enable it by clicking on Configuration > Settings and select the Start CSI on boot option.

How can I check to see if CSI license is valid?

CSI 5.0 & CSI 6.0
Hover the mouse over the username in the bottom of CSI user interface. It will show you total amount of licenses available to your account.

CSI 7.0
CSI 7.0 displays User and Host license information in the User Management grid

How do I obtain a new license?

All versions
By contacting your sales representative.

Can I use CSI if I have an IDS/IPS?

All versions
CSI is compatible with any type of security software.

Can I use CSI if I have a firewall?

All versions
CSI is compatible with any type of security software. Make sure to open required ports which can be found here

How do I know if CSI is using the most recent signature files when conducting a scan?

All versions
An update of the signature files is always conducted as soon as CSI starts a scan. If there is an error in fetching the latest signature files you will be prompted with information about this.

Scanning

What types of programs does CSI analyse during a scan?

All versions
CSI scans for third-party applications and Microsoft software to the Windows, Mac OS X and Red Hat Enterprise Linux (RHEL) platforms. Scanning Mac OS X and RHEL is available through agent based scanning (single host agent).

How can I use the agent to scan my hosts?

All versions
Download the agent from your CSI console (available from the Download Network Agent menu).

CSI Agent is a small, simple, customisable, and extremely powerful scan engine that offers a fully featured command line interface (CLI) to the CSI scanning functionality. This allows you to run CSI scans directly on the command line or to embed the Agent in a customised script. Write "csia.exe -h" for a full list of arguments supported by the CSI Agent.

The most common way to use the agent is in Single Host Mode.
Single Host Mode (Install the agent as a local service): csia.exe -i -L

NOTE: The "csia.exe" file is a customised executable, unique and private for your account. This means that the CSI Agent automatically links scans to your CSI account, without you performing any extra actions.

Will CSI scan external devices?

All versions
Only local hard drives will be scanned for software vulnerabilities.

How many different types of software does CSI detect?

All versions
CSI is updated with new supported, detected, and analysed vendors on a daily basis. The file signature database consists of more than 3000 vendors.

How does CSI handle false positives and false negatives?

All versions
Since the scan process works by looking at the actual files on the system scanned, the result is extremely reliable as a program obviously cannot be installed on a system without the actual files being present. This in turn means that CSI rarely identifies false-positives and thus the result from CSI can be used immediately without doing additional data/results mining.

Does CSI require credentials to scan a target network?

All versions
All scans conducted are done using credentials that have local admin rights to the target machine.

CSI 6.0

Can I integrate my existing patch management solution with CSI?

All versions
Yes, CSI 6.0 introduces a new feature for publishing packages using third-party patch deployment solutions, for example Altiris. In order to support this new feature we have enhanced the package export feature. The exported xml file now contains additional information that can be helpful in creating packages in other tools, including:

  • The version numbers
  • The executable itself
  • The vulnerability/criticality
Can I scan non-commercial/custom software?

CSI 6.0 & CSI 7.0
Yes. Custom Scan Rules allow you to create and maintain custom rules for scanning customer created programs, drivers, and plugins. Go to Scanning > Filter Scan Results > Custom Scan Rules and click New Custom Scan Rule and enter a Name for the rule and the Filename to scan. You can also click Browse to search for the file you want to add to the rule.

Please note that the file to be scanned must contain valid File Version Information.

What are Smart Groups?

CSI 6.0
You can create and configure Smart Groups to help you prioritize your remediation efforts and stay secure and compliant by allowing you to filter and segment your data.

Go to Results > Smart Groups > Smart Group Configuration and click New Smart Group to configure a new Smart Group which you can base on a variety of criteria, including:

  • Program Status - End-of-Life, Insecure, Patched
  • Criticality - Extremely Critical, Highly Critical, and so on
  • Host Name/Site Name - considered relevant to the Smart Group
  • SAID Creation Date - for example, to include all Programs that are insecure and with an Advisory ID that is older than 7 days
  • Silent Installation - available or not available for a product
  • Product Name - to manually add products

You can also click Templates in the Configure New Smart Group window to open the Smart Group Example Use Cases window. Select an appropriate use case and click Use Template to populate the Configure New Smart Group window, which you can then edit to match your specific requirements.

What are Smart Group Notifications?

CSI 6.0 & CSI 7.0
You can create and configure reminders, notifications, and alerts for a Smart Group based on the current state or changes to a group. You can be notified via email or SMS.

How does the Export feature work?

CSI 6.0 & CSI 7.0
You can click Export in any grid view to copy the displayed information to the clipboard or save as a CSV file. The Export feature automatically extracts and transfers data using export schedules (for example, daily) from CSI into Security Information and Event Management (SIEM) solutions and reporting tools. The data is exported in CSV format.

Why should I use Active Directory Integration?

CSI 6.0 & CSI 7.0
The Active Directory Integration feature automatically updates organisational units and structure in CSI when changes are made to the Active Directory.

What information does the Activity Log provide?

CSI 6.0 & CSI 7.0
The Activity Log window displays information about user activity within CSI, for example "write" actions, logins, and so on, with the exception of scans (due to the volume of data generated). You can access a full activity and login log for compliance monitoring and auditing purposes.

Does CSI 6.0 integrate with Vulnerability Intelligence Manager (VIM)?

CSI 6.0 & CSI 7.0
Yes. You can view and manage the VIM accounts that have been verified and integrated with CSI and create Asset Lists for the integrated VIM accounts. The Asset Lists are updated automatically with CSI scan results.

Can I configure IP addresses that CSI console can be accessed from?

CSI 6.0 & CSI 7.0
Yes. Use the IP Access Management window set IP Access Rules to configure the IP addresses CSI console can be accessed from. Note: you require administrative privileges to use this feature.

The first IP Access Rule you set up must always be a whitelist rule and must include the external (public) IP address of the console you are creating the rule from. If, for example, you check ipconfig you will find the internal IP address, which will not work. You can find your external IP address by using an Internet search engine and typing “find my ip address”.

How do I get help?

CSI 6.0 & CSI 7.0
You can press F1 to open a help topic associated with the currently selected window in CSI or click Help at the top of the window to view all CSI help topics.

CSI 7.0

Superseded CSI 6 Features
CSI 7.0
  • Ignore Rules – Previously, this feature was used to create and maintain Ignore Rules for excluding specific content from results and reports. CSI 7 allows you to create Host and Product Smart Groups that scan and display only the content you specify.
  • Local Database Console – Previously, this feature was used to create custom SQL queries for the local database in CSI and has been replaced with the Reporting > Database Access > Database Console.
  • Maintenance menu – Previously contained the Permanent Logout and Database Cleanup options and has been removed. A Logout push button has been added to the upper right of the screen and the Database Cleanup option is now located under the Reporting > Database Access > Database Cleanup menu.
  • Results > Hosts – Previously displayed all the hosts maintained within your account and has been replaced with Host Smart Groups, where you can view the existing configured Host Smart Groups and configure new Smart Groups.
  • Results > Programs and Operating Systems – Previously displayed a list of all the Programs or Operating Systems found via the CSI scans and has been replaced with Product Smart Groups, where you can view the existing configured Product Smart Groups and configure new Smart Groups.
  • Results > Secunia Advisories – Previously displayed all advisories relevant to Insecure or End-of-Life products in your environment and has been replaced with Advisory Smart Groups.
  • Static Dashboard – Previously, for each dashboard profile created, a static URL was automatically created so that the user could use the static URL to view the dashboard on any web browser. CSI 7 now uses a browser interface which makes this feature redundant.
  • Trend Reporting – Previously displayed as part of the Results > Hosts and Results > Sites pages and has been removed as all results are now viewed through Smart Groups.
  • User Management – Previously, this feature was used by CSI main account to create other CSI accounts. Accounts, Shadow Accounts and Reporting on Sub-accounts and has been replaced with Administration.
What are Smart Groups 2.0?

CSI 7.0
Smart Groups have been pre-created for you under the Results menu and include Host, Product and Advisory Smart Groups. All Hosts, All Products and All Advisories are the default Smart Groups for each category and cannot be edited or deleted. You can create, view, edit or delete new Smart Groups to match your specific requirements and help you prioritize your remediation efforts - and stay secure and compliant - by allowing you to filter and segment your data.
Click Create New Smart Group to configure a new Smart Group.
Click Templates to open the Smart Group Example Use Cases page. Select an appropriate use case and click Use Template to populate the Smart Group Overview and Configuration page, which you can then edit to match your specific requirements.

I would like to login to CSI with different credentials. How can I set CSI to prompt me again for username and password?

CSI 7.0
CSI will store your credentials after the first login so that you are not prompted for credentials every time you start the solution. If you would like to be prompted for credentials the next time you start CSI solution (for example, if you or someone else wants to login to the CSI as a different user or if you want to disallow access to the CSI for someone else using your computer who does not have a valid CSI account) click Logout on the upper right of the screen.

Do I need a server to install and run CSI?

CSI 7.0
The user can login to CSI 7 from any internet browser (SaaS) for instant access to their data and reports - from anywhere, at any time. Please note: For some modules, for example Patching, to work a browser plugin is required and is currently available only for Internet Explorer.

I cannot find help in this FAQ. How can I contact support?

CSI 7.0
You can find options for contacting support here: Flexera Software support contacts

Is it possible to run CSI 7 in debug mode?

CSI 7.0
Login and go to Configuration > Settings and select the Enable Logging check box.

What report file formats can CSI 7 generate?

CSI 7.0
CSI 7 can generate PDF reports, however it is possible to extract custom made reports from CSI. See: "Is it possible to extract custom made reports from CSI?" below:

What is the Secunia Daemon?

CSI 7.0
The Secunia Daemon is a stand-alone executable that executes the scanning and import schedules configured in CSI 7 console. It runs as a background service with no user interaction. The Secunia Daemon can be downloaded from the Customer Community.
The Secunia Daemon integrates a number of local data sources in the user’s network with the Secunia Cloud. It should be deployed to a node in the network that has high availability (for example, the server running the SCCM or SQL server). Once deployed, the Daemon will regularly scan the data sources, based on the configuration created in CSI, for:

  • Active Directory scanning
  • SCCM import (SQL + WSUS)
  • Scheduled exports
  • WSUS state change

The Secunia Daemon uses the System Center 2012 Configuration Manager SQL Database Settings that are specified in the Configure dialog. If those settings haven't yet been specified when the Secunia Daemon has been run then it will check for them again in 10 minutes and every 10 minutes afterwards until it gets them.
The Secunia Daemon checks with Secunia every 10 minutes to download new schedules or fetch changes to existing schedules as long as it is not in the process of processing scans.
The results are displayed in CSI Completed Scans page.

What is CSI 7 Plugin and why do I need to install it?

CSI 7.0
To enable Scanning and Patching, the first time the you login to CSI 7 you should click the link on the bottom of the page and follow the on-screen instructions to download and install the CSI Plugin. Please note that the plugin is compatible with, and should be run using, the latest version of Internet Explorer.
The CSI Plugin is installed locally and must be installed on the machine that you are running CSI console from. Once the CSI Plugin has been installed the download link is removed from the page.

Reporting

What types of vulnerability reports are available?

CSI 5.0 & CSI 6.0
You can generate Site level, Product level or Host level reports. Each report will have detailed information about the security level and provide you with verified and accurate intelligence.

Can users receive email alerts of changes in the scan result?

CSI 5.0 & CSI 6.0
Yes. Selected personnel can be added to receive a change summary that shows the changes in the network on a daily or weekly basis.

What report file formats can CSI generate?

CSI 5.0 & CSI 6.0
CSI can generate PDF reports, however it is possible to extract custom made reports from CSI. See: "Is it possible to extract custom made reports from CSI?" below

How does the criticality rating map to CVSS?

All versions
CSI builds the criticality rating on the CVSS version 2 scoring algorithms.

What do the different severity levels in CSI mean?
All versions
  • Extremely Critical (5 of 5)
    Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild.
    These vulnerabilities can exist in services like FTP, HTTP, and SMTP or in certain client systems like email programs or browsers.
  • Highly Critical (4 of 5)
    Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers.
  • Moderately Critical (3 of 5)
    Typically used for remotely exploitable Denial of Service vulnerabilities against services like FTP, HTTP, and SMTP, and for vulnerabilities that allow system compromises but require user interaction. This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet.
  • Less Critical (2 of 5)
    Typically used for cross-site scripting vulnerabilities and privilege escalation vulnerabilities. This rating is also used for vulnerabilities allowing exposure of sensitive data to local users.
  • Not Critical (1 of 5)
    Typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities. This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).
Is it possible to extract custom made reports from CSI?

CSI 5.0 & CSI 6.0
CSI 5.x and 6.x feature a Local Database Console that allows you to run SQL queries against the local database.

You can easily access all the information that is currently stored in the local database of CSI and use it in many different ways, such as creating custom reports or feeding it into other applications.

From the Local Database Console, right-click in a table name to see the data being hold in that table. Type the SQL query under SQLite Query window and click Run.

Use Export to export the data into the Clipboard or into a .CSV file. In CSI 6.x you can schedule exports at regular intervals.

Technical - General

What IPs/URLs/ports does the management console use to download the patch binaries when you build a package in the CSI 7 console?

All versions
CSI 7 (with the SC2012 Plugin) packages download from csi7.dl.secunia.com:443.

Although the console displays dl.secunia.com:80 in the UI, it is transformed to csi7.dl.secunia.com:443 behind the scenes. The port 80 package URL can be copied/downloaded by pasting the URL into a browser. The port 443 package cannot because it requires an extra download token that is used internally by the wizard. It differs from the port 80 package in that it supports customer parameters that the wizard supplies.

How can CSI be used to allow scans of customer’s internal networks?

All versions
Using CSI you have access to four different scan approaches:

  • On Demand Scanning
    From the CSI GUI you can easily create scan groups manually. The groups can then be configured to do scans based on IP-range, IP- network or Host-name.
  • CSI Agent – Single Mode
    CSI Agent is a standalone executable file that can run as a local service. The agent can be configured to scan the system at regular intervals.
  • CSI Agent – Network Appliance Mode
    If you prefer not to install agents locally on each PC or use login scripts you can use the agent in Appliance Mode. This enables you to schedule scans from the Appliance Mode agent to selected networks. The scan groups base their scans on IP-range, IP-network or Host-name. All administration will be conducted from CSI GUI.
  • SCCM Inventory Import
    You can connect to your local SCCM server and, if you have inventory features enabled on the SCCM client agent, CSI can import it by connecting to your SCCM server.
Does CSI provide assistance with fixing vulnerabilities?

All versions
Yes. CSI is designed to integrate with Microsoft WSUS/SCCM to deploy security patches that were found missing from the scan results. CSI also provides an SDK, allowing users to integrate with their preferred patch deployment solution, such as for example Altiris Deployment Solution. Through this integration CSI allows network administrators to easily handle the entire vulnerability management life cycle.

Can CSI be used to scan removable/network drives?

All versions
No. CSI does not scan removable or network drives such as USB sticks or other type of removable drives.

How many systems can I scan with CSI?

All versions
The number of systems that can be scanned by CSI is dependent on the license that you have purchased from Flexera Software. If you reach your license limit, deleting old systems from CSI will release the corresponding number of licenses. If you need additional licenses, please contact your sales representative.

Does CSI allow concurrent sessions from the same account?

CSI 5.0 & CSI 6.0
Although login of concurrent sessions is possible, CSI is designed to allow only one session per account. If you wish to have several CSI accounts, please ask your sales representative about CSI User Management add-on.

After creating a scan group and placing that group in the queue to be scanned, CSI is not able reach the target systems. How can I troubleshoot it?

All versions
It should be taken into consideration that in order to perform remote scans, the target systems must have the right services and ports enabled. Please refer to the system requirements for Agent-less scans.

I would like to re-install CSI Graphical User Interface. Where can I find the Installer?

CSI 5.0 & CSI 6.0
CSI Graphical User Interface can be downloaded from the Customer Community website.

I need to reset my CSI login credentials. How can I do it?

All versions
Please contact Flexera Software Customer Support. You can also configure password recovery options within CSI for later use.

Which systems can CSI scan?

CSI 6.0 & CSI 7.0
CSI 6.x is capable of scanning Windows, Mac OS X and Red Hat Enterprise Linux (RHEL) systems.

CSI is not detecting some of the software that I am sure is installed. How can I request new software to be added to CSI?

All versions
New monitoring can be requested by using the Suggest Software feature available in CSI. Requests from our customers are highly appreciated and will be promptly addressed.

After launching CSI, the solution stalls when checking for network connectivity. How can I troubleshoot it?

All versions
In the Internet Options (Control Panel or under Internet Explorer/Tools), verify that https://*.secunia.com/ is present in the Trusted sites. If not, please add it.

If your network connection passes through a proxy that needs authentication, please open a command prompt window, go to the path where CSI is installed, and launch CSI with the following command:
csi.exe -x proxy:port
If you also need to specify the proxy authentication, launch CSI with the following command:
csi.exe -x proxy:port -U username:password

In order to get a more verbose error message, start CSI from the command prompt with logging options.
csi.exe -d debugfile.txt -v
the logging can also be combined with other options, like this:
csi.exe -x proxy:port -U username:password -d debugfile.txt -v

Is the communication between CSI Agent/Graphical User Interface and Secunia encrypted?

All versions
Yes. All the communication between CSI Agent or CSI Graphical User Interface and Secunia is made through port 443, and by using SSL protocol with 256 bit encryption.

Why is Windows Update necessary to CSI?

All versions
CSI is designed to use the built-in Windows Update Agent so that it can check for missing patches from Microsoft. If you have a WSUS server in your network, CSI can adapt and retrieve the OS results based on the internal WSUS. You can also configure it to check with the official Microsoft Update website.

I would like to login to CSI with different credentials. How can I set CSI to prompt me again for username and password?

CSI 5.0 & CSI 6.0
In CSI go to Configuration > Maintenance > Permanent Logout and click Logout.

Do I need a server to install and run CSI?

CSI 5.0 & CSI 6.0
No. Due to its lightweight design, CSI is able to run in the most common Windows systems. For more detailed information, please refer to the system requirements for running CSI Centralised Dashboard.

I cannot find help in this FAQ. How can I contact support?

CSI 5.0 & CSI 6.0
Please login to CSI and go to Support > Contact Information to reach the customer support center. You can also send your question to csc@flexerasoftware.com and one of solution specialist would be assigned to you.

Technical - WSUS / GPO / Certificates / Miscellaneous

How do I publish packages that are larger then the default WSUS limit (384 MB)?

All versions
One way to change the limit is to run the following script with WSUS_SERVER_NAME, USE_SECURE_CONNECTION, and WANTED_LIMIT set as appropriate. WANTED_LIMIT is in MB and cannot exceed 2047 as this is the upper limit WSUS supports:

[reflection.assembly]::LoadWithPartialName
("Microsoft.UpdateServices.Administration") | out-null
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer( WSUS_SERVER_NAME>, USE_SECURE_CONNECTION );
$serverconfig = $wsus.getConfiguration()
$serverconfig.LocalPublishingMaxCabSize = WANTED_LIMIT
$serverconfig.Save($FALSE)

If this is run on the actual WSUS server GetUpdateServer( WSUS_SERVER_NAME>, USE_SECURE_CONNECTION ) can be replaced by GetUpdateServer(). Refer to http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration.adminproxy
.getupdateserver%28v=vs.85%29.aspx
for more information.

Please note: This change should be done at your own risk and that Flexera Software will not be responsible for any effect this might have on other uses of the WSUS server.

How do I connect CSI to the WSUS/SCCM?

CSI 6.0 & CSI 7.0
In CSI 6.x user interface go to Patching > Configuration > WSUS / SCCM, enter the WSUS server name and port and click Save. If it is the first time you connect, a wizard will guide you through the steps needed to create certificates and the GPO settings that enable deployment of third-party patches. You can also refer to our technical user guide which provides step by step instructions on how to connect CSI with the WSUS server.

Where can I find more information about WSUS?

All versions
http://technet.microsoft.com/en-us/wsus

What are the system requirements for using CSI together with the WSUS?

All versions
A WSUS server needs to be installed on the network. The following requirements need to be in place on the computer that is running CSI User Interface:

  • WSUS installer (administration console only)
  • Visual C runtime
  • Microsoft .NET runtime V2.0 SP2
Is WSUS free?

All versions
Yes, WSUS is a no-cost download from Microsoft. However, you must have a valid Windows Server 2003 or 2008 license for the WSUS server itself, as well as Windows Client Access Licenses (CALs) for each machine updated by WSUS. Be sure to discuss your unique licensing needs with a Microsoft Partner or your Microsoft Account Representative.

How do I force the Windows Update Agent to detect and download approved updates from a WSUS Server?

All versions
Run this command from a command prompt:
wuauclt /detectnow

What GPO settings need to be configured in order to deploy third-party applications using CSI?

All versions
A CSI wizard will automatically implement the GPO settings, including certificate distribution necessary to deploy third-party applications. Go to CSI Patching > WSUS / SCCM Configuration and click Configure Upstream Server.

If you want to do this manually the settings needed are as follows:
Enable and Set the following values in: Policies/Administrative Templates/Windows Components/Windows Update

  • Specify intranet Microsoft update service location (Your WSUS location)
  • Allow signed updates from an intranet Microsoft update service location

The 'WSUS Publishers Self-signed' -certificate should be copied to:

  • Policies/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certificate Authorities
  • Policies/Windows Settings/Security Settings/Public Key Policies/Trusted Publishers

IMPORTANT! On Windows Vista, 7, 2008 you must run CSI as an administrator (right-click and select "Run as administrator") when pushing out the certificates

How do I deploy the certificates to specific Hosts in the domain NOT using GPO?

All versions
In CSI menu, go to Patch>Deployment>right-click one or several hosts, and select “Verify and Install Certificate”.

CSI 5.0 & CSI 6.0
IMPORTANT! On Windows Vista, 7, 2008 you must run CSI as an administrator (right-click and select “Run as administrator”) when pushing out the certificates. Make sure that Remote Registry Service is enabled on client machine.

How do I export and install the certificates manually alt Import and create my own GPO?

All versions
If you do not want to use CSI wizard, you can export the Certificate from the WSUS Server and import it to the target hosts either manually or through a GPO.

  1. Export the certificate. To manually copy the certificate, please do the following:

    On the computer where the certificate is to be installed go to: Start > run type in mmc and press enter.

    Go to:
    File > Add/Remove Snap-in > Add > Certificates > Add > Computer Account > Next > Another computer
    Type the name of the WSUS Server in the text box and click Finish

    Close the “Add Standalone Snap-in” dialog box. Now you have a link to certificate stores in the mmc UI. The one referring to the WSUS Server will have a “WSUS” certificate store in its root. Select that and click the certificate.

    Right-click the “WSUS Publishers Self-signed” certificate and select: All Tasks > Export.

    Choose all the defaults in the “Certificate Export Wizard” and save the file somewhere on your local file system.
  2. Certificate distribution - using GPO
    The “WSUS Publishers Self-signed” -certificate must be copied to “Trusted Publishers” and “Trusted Root Certification Authorities” on each client computer that will receive packages from the WSUS Server.

    See the following guide about how to copy the certificate using GPO.
    http://technet.microsoft.com/en-us/library/cc782744
    Repeat the same steps to import the certificate to “Trusted Publishers”
  3. Certificate distribution - Manually.
    If you do not want to use GPO to distribute the certificate, you can manually copy the certificate from the WSUS server to the local computer. This requires local admin rights.

    On the computer where the certificate will be installed go to: Start > run type in mmc and press enter.

    Go to:
    File > Add/Remove Snap-in > Add > Certificates > Add > Computer Account > Next > Local computer and click Finish. Close the “Add Standalone Snap-in” dialog box.

    Right-click the respective folder for “Trusted Root Certification Authorities” and “Trusted Publishers” and import the certificate that you exported in the previously step. Go to All Tasks > Import
    Locate the file you created in Step 1 and choose the default options through the “Certificate Import Wizard”.
    This procedure must be repeated on each computer that will create and publish packages, as well as on each computer that should install the packages.

If you cannot find “Trusted Publishers” on the Windows 2003 server, please do the following:

  1. Open “Group Policy Manager” under Computer Configuration > Windows Settings > Software Restriction Policies
  2. Right-click and create a new SR policy if you haven’t got one already
  3. Under Additional rules, right-click and create new “Certificate rule”.
  4. Click Browse and select the exported certificate that is being used to sign the updates (.cer file). Change the “Security Level” to Unrestricted otherwise you will stop the computers running any programs!
  5. Close the windows and that should be all.
How to fix the error - Unable to verify and install the certificate to the hosts?

All versions
By default the Remote Registry Service is turned off in Windows Vista, Windows 7 and Server 2008. Make sure the Remote Registry Service is started. This can also be done using GPO.

How to handle the error 12045 when I try to install CSI?

CSI 5.0 & CSI 6.0
Install the latest Microsoft Update for Root Certificates (KB931125) available at:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=19c4ae49-1127-4537-9e91-35f81d20bce6
Run CSI after installation (you may need to reboot your PC after the installation).

How to address the error - the plugin “clrplugin.dll” could not be loaded?

CSI 5.0 & CSI 6.0
1. Make sure you run CSI as an administrator (right-click and select Run as administrator)
2. Make sure the WSUS installer (administration console only) is installed
http://www.microsoft.com/downloads/details.aspx?FamilyId=a206ae20-2695-436c-9578-3403a7d46e40&displaylg=en

How to address error 0x800B0109, also known as “I have verified everything, it still does not work”?
Miscellaneous errors from the c:\Windows\WindowsUpdate.log:
-WARNING: Download failed, error = 0x800B0109
-WARNING: Digital Signatures on file C:\WINDOWS\SoftwareDistribution \Download\1234 are not trusted: Error 0x800b0109

All versions
Verify the GPO setting 'Windows Updates/Allow signed updates from an intranet Microsoft update service location' is enabled. In addition, also verify the following on the local host:

Check the registry on the client computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdateCheck that the key AcceptTrustedPublisherCerts is set to 1 (if not, change it to 1) Perform these commands, and try again.
Net stop wuauserv
Net start wuauserv
wuauclt /detectnow
wuauclt /updatenow

Make sure client machine has WSUS Publisher Self Signed certificate present in Trusted Root Certification Authority and Trusted Publishers.

What to do when I get prompted with an error message “Invalid Path”, and that I need to add 'https://*.secunia.com' to trusted sites?

All versions
Add https://*.secunia.com to trusted sites in Internet Options > Security > Trusted sites. On Windows 7, Vista, 2008 you need to run Internet Explorer as an administrator (Right-click and select Run as administrator), then go to Tools > Internet Options > Security > Trusted sites and add https://*.secunia.com

I am running CSI on Windows 2003/2008 server, and I cannot download the agent-file, csia.exe even though I have added https://csi5.secunia.com to trusted sites. What do I need to do?

CSI 5.0
Make sure encrypted pages can be saved on disk.
Internet Options > Advanced > Scroll to Security > and uncheck Do not save encrypted pages to disk.

How to address problems when trying to print/download/save .PDF reports?

All versions
Please verify that:

What to do when I get a script debugging error while running CSI?

All versions
Go to Internet Options > Advanced > Browsing > Check the check box that corresponds to Disable script Debugging (Internet Explorer) and Disable Script Debugging (Other).

Is it possible to run CSI in debug mode?

CSI 5.0 & CSI 6.0
Login and go to Configuration > Settings and check the checkbox Enable logging. If you want to start CSI in debug-mode, start it from the command prompt with the following command:
csi.exe -d debugfile.txt -v

What to do when I see unexpected behaviour while creating packages?

All versions
Make sure the WSUS server and the WSUS administrative console have the same version, or at least match so there is no conflict.

How about the installed programs language options? Could it cause any issues for CSI if am using a finnish version from Adobe, for exanple?

All versions
CSI does not recognize what language version that is installed. In cases where the Vendor provides different installations based on the language we will provide a link for each language in SPS wizard.

What to do when the integrity check fails while starting CSI setup file?

CSI 5.0 & CSI 6.0
Make sure that you downloaded the CSI Setup file and stored it locally on your system before installing it. If it still gives you this error message, then clear the “Temporary Internet” files for your browser, download the setup file again, and restart the installation process.

I have installed the CSI Agent on a Windows 64 bit system and apparently this doesn't work. What can I do?

All versions
CSI Agent service will not work when installed into %SystemRoot%\system32 on a 64 bit system. Although the agent may appear to be correctly installed, it will fail to start. Install the agent in a 32bit compliant directory, and the service will start properly.

I want to install the agent in Network Appliance mode, but with a different account rather than the one currently logged in. How can I do this?

All versions
Because the configuration is stored in the users HKEY_CURRENT_USER\Software\Secunia\csia and that registry hive is not available during the installation of the agent, the installation should be done with the runas.exe thus making sure the registry hive is loaded:
runas /user:account@company.com "csia -A -i -R account@company.com"

Can I connect to a replica WSUS server, or do I need to connect to the main WSUS server?

All versions
You need to connect to the main WSUS server, however all replica servers need to have the signing certificates.

When creating a GPO to distribute certificates I'm not able to find “Trusted Publishers” in my server?

All versions
To view the "Trusted publisher" folder do the following:

  • Open "Group Policy Manager"
  • Under Computer Configuration > Windows Settings > Software Restriction Policies, right-click and create a new SR policy if you haven't got one already
  • Under Additional rules right-click and create a new "Certificate rule"
  • Click browse and select the exported certificate that is being used to sign the updates (.cer file)
  • Change the "Security Level" to Unrestricted otherwise you will stop the computers running any programs!
  • Close the windows and that should be all.
Can we use our own signing certificate?

All versions
Yes it is possible, use the "Import Signing Certificate" function in CSI (Available under Patch/Configuration). Note that you need to set up the WSUS to use SSL connection.

How can I view and manage the packages in the SCCM console?

All versions
If you're using Microsoft SCCM, the package created and published with CSI will be available in your SCCM console, so it can be managed just like any other update. The package will be available under Computer Management/Software Updates/Update Repository/Security Updates/Vendor, also including the criticality of the vulnerability addressed by that specific update.

Back to Corporate Software Inspector