Secunia PSI v.3.0

Topic

New Reply

WS introduced me to Secunia PSI 2.0, which proved to be a favorite free download for my WinXP-sp3. After recently installing their newest version 3.0, I stared in wonderment and tried to understand why the upgrade. After much staring/bewilderment, visited their User’s forum and learned I was not alone. Not by a long shot.

Just wondering if WS (my WinPC tech guru) has viewed same and has any comments/advice?

Reply | Quote

Replies

There is a thread on this issue, already: http://windowssecrets.com/forums/showthread//147313-Secunia-releases-PSI-v3.0

Reply | Quote

I stopped using Secunia when the app started automatic updates. I want to choose what does or does not get updated. I have also used FileHippo.com Update Checkerfor quite some time with very good results. See the download link in the upper right corner.

Reply | Quote

You are not forced to accept Secunia’s automatic updates, Ted. I never let it do that.

Reply | Quote

The only criticism of version 3 that I can really understand is the lack of links to relevant security advisories, which are apparently coming in an update at the end of this month.

Everything else seems to amount to “it doesn’t look like what I was used to”.

Bruce

Reply | Quote

The only criticism of version 3 that I can really understand is the lack of links to relevant security advisories, which are apparently coming in an update at the end of this month.

Everything else seems to amount to “it doesn’t look like what I was used to”.

Bruce

What’s relevant to an user, may not be relevant to another and vice versa :).

Actually, Bruce, I disagree. They went from a version where useful information was provided with minimum interaction, to a version where there is no information, even if you want to access it.
Not only the security advisories are missing, but also the current version and the most up to date version information is missing (yes, I know the former can be obtained by choosing Show Details). There is also other information missing, as in the case of old chrome versions that google kindly leaves behind when a new one is installed.

The latest version is bad for one reason, IMO – it admits it knows better than you, by choosing not to provide with any information, other than supposedly an app being out of date. Instead of being a tool that empowers you as an informed user, it presumes that you are not wise enough to decide on your own. That enough is reason for me to dislike it. It has an horrid interface, as the previous one was, although for totally different reasons.

Reply | Quote

What’s relevant to an user, may not be relevant to another and vice versa :).

Actually, Bruce, I disagree. They went from a version where useful information was provided with minimum interaction, to a version where there is no information, even if you want to access it.
Not only the security advisories are missing, but also the current version and the most up to date version information is missing (yes, I know the former can be obtained by choosing Show Details). There is also other information missing, as in the case of old chrome versions that google kindly leaves behind when a new one is installed.

The latest version is bad for one reason, IMO – it admits it knows better than you, by choosing not to provide with any information, other than supposedly an app being out of date. Instead of being a tool that empowers you as an informed user, it presumes that you are not wise enough to decide on your own. That enough is reason for me to dislike it. It has an horrid interface, as the previous one was, although for totally different reasons.

It’s not true to say that it doesn’t provide you with ANY information. The only extra piece you’ve identified is the number of the most up to date version; is this crucial information if you’re being told that the version you have is insecure and a patch is available? The history will show which version you updated from and to.

I still don’t see what’s missing from 3.0 that was so useful in 2.0 (apart from the promised security advisory links for clarification on rare occasions).

Surely we don’t miss all the meaningless statistics?

Bruce

P.S. Are you sure it doesn’t identify end-of-life programs separately? I can’t tell yet, but I got the impression that it does.

Reply | Quote

It’s really the whole rationale for this interface – hey, get an icon per program just saying it’s not up to date and you can simply choose to update it. You don’t need to know anything else. We take all the decisions for you, trust us, we know better.

I actually like the 2.0 version better, information wise. For each problem app, you’d know your current version, the newest version available and the type of problem affecting you (yes – it doesn’t tell you it’s an end of life). Users should have this information, or at least the option to have it displayed.

Secunia has no way to know if something is an actual security risk or not. I have, in the case of my PCs. I could give you specific examples, like the fact that I have php installed and I just use it locally for development purposes and it can’t be accessed from the internet or anywhere else I specifically allow, so it doesn’t matter to me whether it’s safe or end of life or whatever, but if there is a problem, to be useful, PSI should tell me. So, IMO, this version is worse, because of the missing info.

It suits your needs? Fine. I won’t be upgrading it in the computers where I haven’t done it yet. Actually being so dumb, may make me ditch it altogether. This is no evolution for the better, UI wise.

An app such is this is a tool, for me. In the current state, PSI 3.0 is a very basic, crude tool. For the first time since I started using it, I am actually considering dumping it, as I get more annoyed with it each time I run it.

Reply | Quote

Secunia has no way to know if something is an actual security risk or not. I have, in the case of my PCs. I could give you specific examples, like the fact that I have php installed and I just use it locally for development purposes and it can’t be accessed from the internet or anywhere else I specifically allow, so it doesn’t matter to me whether it’s safe or end of life or whatever, but if there is a problem, to be useful, PSI should tell me. So, IMO, this version is worse, because of the missing info.

So you set it to be ignored and it gets listed at the bottom. Why is it useful to know it has a problem if you don’t care? If your practices change you can unignore it.

Bruce

Reply | Quote

There is also other information missing, as in the case of old chrome versions that google kindly leaves behind when a new one is installed.

I think Secunia have correctly eliminated a preceding version of the Google Chrome folder from being identified as a security risk when it’s no longer being used after an update.

Bruce

Reply | Quote

The Chrome info was quite useful. Allowed me to clean up after google did not.

I really do not understand why the info that was provided before was removed. It could very well be provided in the window you open when you want to see the details. The evolution of the UI is to empower the user by providing more info with the least effort. Metro is also about that – accessing relevant without effort or with the least possible effort. That”s why tiles are so much better than the outdated grids of icons.

Why is it useful to know? Because I want to make decisions based on actual information. The decisions should be made based on actual info. If Secunia tells me there is a security risk with an app, I would appreciate the info to evaluate by myself if it is indeed a risk for me or not. It’s me who should decide, not Secunia. Just telling me there is a problem actually helps me very little, as it may not even be a problem for me.

Well, congrats to Secunia, they went back in time, with these childish looking icons and no info provided to users who were used to have it.

Reply | Quote

Well, congrats to Secunia, they went back in time, with these childish looking icons and no info provided to users who were used to have it.

All the info you need is there, but you seem determined not to like it. The icons are no more childish than those you have pinned to your taskbar, desktop or start menu.

Reply | Quote

Bruce,

I thank you for letting me know what I need. I rest my case.

Reply | Quote

Like Rui, I rather like having enough information to make a reasoned judgement, dumbing anything down is a backward, restrictive step – in my opinion, of course.

Reply | Quote

Got this from Secunia’s support forum, posted by a member said to be a Secunia official:

You are absolutely right; we developed the PSI 3.0 with the “average PC user” in mind, so yes, the primary target group is not exactly the technical experts.

Let me give you a little background info: When we set out to develop the PSI 3.0, the objective was (and still is) to SIGNIFICANTLY improve the state of security worldwide. Had we wanted to “merely” double the number of PSI users, we could probably have added a few new features and have achieved the goal. But if we should 10x or 20x double the number of PSI users worldwide, we believe it takes something completely different, namely a simpler user interface, focus on the core functionality (software updating), multiple languages and a lot more automation. So with the PSI 3.0 we are trying to reach far beyond the technical confident users to also offer a solution to the people that simply just want it to work. Exactly as you describe.

But we are continously evaluating how to improve the solution, and we for instance have a maintenance release scheduled for end of July with a few additional features and bug fixes, so the product is very much evolving.

I am happy though that you like the PSI 2.0, and as mentioned elsewhere, we have no plans of dicontinuing this. Further, we are very must aware that there is a lot of users out there that also like to “mess around with the engine”, and I promise you that we have something in the making for all of you guys as well. So stay tuned for more news later this year.

[/FONT]

So they are aware of the consequences of their choices and hopefully will fix it in future versions. I am in the process of going back to version 2.0. I really hate this dumbed down interface.

Reply | Quote

I would like to go back to 2 from 3, but cannot find a source.

Reply | Quote

I would like to go back to 2 from 3, but cannot find a source.

http://secunia.com/PSI2Setup.exe

Bruce

Reply | Quote

That worked. I am running on 2.0. Thanks

Reply | Quote

After turning off auto updates, the only problem I’ve had with 3.0 beta was getting it to ignore an “out of date” but not insecure application. Otherwise, the sys tray icon was always red and it would pop up a message everytime it did an auto scan, which seemd to be up to five times a session. I posted the problem on their forums, and strangely enough the moderators didn’t seem to know the answer. It took another user who had figured it out with v.2 to point out that the solution is documented only in their marketing video, which of course few of us watch.

Reply | Quote

After turning off auto updates, the only problem I’ve had with 3.0 beta was getting it to ignore an “out of date” but not insecure application. Otherwise, the sys tray icon was always red and it would pop up a message everytime it did an auto scan, which seemd to be up to five times a session. I posted the problem on their forums, and strangely enough the moderators didn’t seem to know the answer. It took another user who had figured it out with v.2 to point out that the solution is documented only in their marketing video, which of course few of us watch.

Did you mean “beta” there? The new 3.0 RTM comes with a reasonably good Secunia PSI 3.0 User Guide help file which includes (under Step by Step Process, Scanning):

You can right-click an icon under Programs that need updating or Up-to-date programs and choose:

· Ignore updates to this program – to select programs that the Secunia PSI will not scan or gather results from. The icon will appear (in black and white) under Programs that do not receive updates at the bottom of the scan results window.

You can choose to ignore, for example, updates to end of life programs that are no longer being maintained by the vendor. This means that when a vulnerability is found in the program, the vendor will not release any patch for it (note that having end of life programs installed poses a potential security risk as you will not be advised about vulnerabilities and will not be able to update and patch them). It is recommended to either uninstall programs that are end of life, or update to a version that is still supported by the vendor.

Bruce

Reply | Quote

“I am happy though that you like the PSI 2.0, and as mentioned elsewhere, we have no plans of dicontinuing this. Further, we are very must aware that there is a lot of users out there that also like to “mess around with the engine”, and I promise you that we have something in the making for all of you guys as well. So stay tuned for more news later this year.”

Looks like they may be getting ready to offer an Expert Version (perhaps paid) for more technical users. This has been rumored and suggested in their forums ever since the v.3.0 flap got started.

May I add a ffew things missing from PSI 3.0?

PATHS to all instances of outdated software components. With Adobe Flash layer and various Java runtimes, these paths may nindicate unneeded old userdata which certainly CAN pose security risks.

ALL CURRENTLY INSTALLED VERSIONS of Flash, JRE, etc. Even though the older versions may be “insecure”, sometimes there are third-party programs (like OpenOffice) which cannot use the newer, more secure versions. It would in these cases break programs to update “insecure” old versions universally.

CHOICE not to auto-update. When a program is auto-updated, all the default installers awith all ther deault options are downloaded and installed. For free products, this introduces unwanted and insecure toolbars, spyware, adware and OpenCandy Adware Installers. There are methods which can safely update many of these programs without choosing to install all of these sources of insecurity. PSI 3.0 makes no provisions whatsoever to automatically apply Custom Installations or choose to download clean installers when auto-updating programs. This is why I do not allow ANY program to automatically receive and install updates, not even Windows itself.

I stopped using PSI due to these and other changes. I now use a general-purpose updates chacker from KC Softwares called SUMo (No-RK version). To update SUMo, I have to wade through four screens of opt-outs, but I can get a custom, clean installation of the updater. SUMo has for me identified more out of date programs and components than any other updates checker out there. And it gives paths to my current versions. Very few false leads either. (Just learn to identify your driver-related and OEM software, because those titles and components will always be identified as out of date, even though they are the latest versions which will work on your hardware.) If you can avoid the installation gotchas, SUMo is IMHO the best and most comprehensive software updater available for free to home users.

-- rc primak

Reply | Quote

May I add a ffew things missing from PSI 3.0?

Did you only try the beta?

PATHS to all instances of outdated software components. With Adobe Flash layer and various Java runtimes, these paths may nindicate unneeded old userdata which certainly CAN pose security risks.

PSI 3.0 has that: Right click the program icon, then left click “Show details” for a “List of installed versions” (double click to open each containing folder).

ALL CURRENTLY INSTALLED VERSIONS of Flash, JRE, etc. Even though the older versions may be “insecure”, sometimes there are third-party programs (like OpenOffice) which cannot use the newer, more secure versions. It would in these cases break programs to update “insecure” old versions universally.

You don’t have to update insecure old versions universally with PSI 3.0: Right click the program icon, then left click “Ignore updates to this program”.

CHOICE not to auto-update.

PSI 3.0 has that: Click Settings then uncheck “Install updates automatically”.

When a program is auto-updated, all the default installers awith all ther deault options are downloaded and installed. For free products, this introduces unwanted and insecure toolbars, spyware, adware and OpenCandy Adware Installers. There are methods which can safely update many of these programs without choosing to install all of these sources of insecurity. PSI 3.0 makes no provisions whatsoever to automatically apply Custom Installations or choose to download clean installers when auto-updating programs. This is why I do not allow ANY program to automatically receive and install updates, not even Windows itself.

PSI 3.0 does have provisions to download clean installers when auto-updating programs:

“We strive to disable toolbars and third-party programs bundled along with the installer by the vendors.”
Frequently Asked Questions (PSI): What is the Secunia Packaging System (SPS) and how does it work?
http://secunia.com/vulnerability_scanning/personal/faq#x2

But if you still don’t trust them, then you can opt out of automatic updates.

I stopped using PSI due to these and other changes. I now use a general-purpose updates chacker from KC Softwares called SUMo (No-RK version). To update SUMo, I have to wade through four screens of opt-outs, but I can get a custom, clean installation of the updater. SUMo has for me identified more out of date programs and components than any other updates checker out there. And it gives paths to my current versions. Very few false leads either. (Just learn to identify your driver-related and OEM software, because those titles and components will always be identified as out of date, even though they are the latest versions which will work on your hardware.) If you can avoid the installation gotchas, SUMo is IMHO the best and most comprehensive software updater available for free to home users.

If you use the “Free of all sponsors download link” for SUMo on that KC Softwares Downloads page (or the Zip file without installer) then you get exactly the same program but don’t have to wade through the four screens of opt-outs that come with the “No-RK” version.

Bruce

Reply | Quote

@BruceR —

Nice to know that there have been some improvements in what’s available in PSI 3 since the Betas which I was trying. But I am still not satisfied with having to dig around and use obscure settings just to get what was readily available in Version 2.

Since Secunia says they are working on a more technical product, maybe this will be a product more to my liking (See the quote in my previous post #18 in this thread.)

If you use the “Free of all sponsors download link” for SUMo on that KC Softwares Downloads page (or the Zip file without installer) then you get exactly the same program but don’t have to wade through the four screens of opt-outs that come with the “No-RK” version.

I am especially glad to learn about the clean installer option for SUMo at KC Softwares. That will prove useful. Tiny little link, isn’t it?

-- rc primak

Reply | Quote

Secunia PSI 3.0 has today been updated to include most (if not all, except “secure browsing notifications”) of the features that users of PSI 2.0 had found missing:

Version 3.0.0.3001 (26th July 2012)

This is a minor maintenance release. The primary changes are:

[*]Detailed view: The user can decide whether to view the list of programs as a detailed view or an icon view
[*]Criticality: The detailed view now includes criticality ratings for programs that need updating
[*]Number of installations: The detailed view shows the number of installed program versions
[*]More information: Right-clicking a program that is not up-to-date now provides a link to more information (the Secunia Advisory on the Secunia website)
[*]Add notification to install Microsoft Update if it is not installed
[*]Bug with “long scan time for initial scan” has been fixed
[*]Language selection when upgrading between major versions has been fixed
[*]Ignore rules created in PSI2 are now ignored after upgrade (since the way ignored updates are handled has changed)
[*]Manual downloads for updates to 64-bit programs don’t try to download the 32-bit versions
[*]Warning about unknown variable has been fixed
[*]Updates to translations of non-English versions of the PSI
[*]Correct notice about trusted sites to point to psi3.secunia.com
[*]Various minor bug fixes

Bruce

Reply | Quote