Running the Online Software Inspector

On the initial page (below) it's obvious that you click the red button. However, although the button is labeled "start scanner," this does not start the scanner. Instead, it loads the Java program. Or, tries to load it.

OSI first page

Java programs are not normally allowed to read files on your computer. Of course, the Secunia application has to read files, so you can expect to see the Java security warning shown below. If you click the Run button, this not only allows the Java program to run, but, thanks to the "Always trust content from this publisher" checkbox being on by default, prevents the issuance of this warning in the future.

OSI Java security warning

If all goes well, you should now see the screen shown below. In the bottom left corner it says "Java Applet loaded successfully. Press "Start" to begin." A Java program inside a web page is called an applet. It's not unusual to see a message in this area that says "Loading Java Applet... Try x of 50...". Each "try" takes less than a second. The only times I've had this fail on me is when Java was not installed.

OSI ready to go

Before starting the inspection, I like to turn off the "Display only insecure programs" checkbox. This is a matter of opinion, the important information is displayed either way. I just like knowing which programs were, in fact, inspected. Also, a clean system, set to display only insecure programs, produces no report, which might be confused with a scan that never ran at all.

Initially there is no need for a "thorough" inspection. The default type of inspection looks for applications in their default folders. After getting a clean bill of health with a default inspection, anyone interested in extra credit, can go back and run a thorough inspection. Expect it to take significantly longer to run.

In addition to scanning for applications in non-default folders, a thorough inspection is also needed by anyone that wants portable applications inspected. Then too, applications are sometimes included with other applications. For example, the Adobe Reader or Flash player may be installed as part of another, much larger, application. Scanning for these requires a thorough inspection.

The blue Start button kicks off the scan.

Below is a perfect report card from a Windows XP SP3 machine. Green checks are happy checks.

Perfect report card from OSI

It's hard to get a clean bill of health. Most likely you will run across a program missing a security patch. In the example below, from a Windows 7 machine, Firefox was at version 3.5.3 and missing the patch to bring it up to the just-released version 3.5.4.

OSI report showing Firefox missing a patch.

You may be initially surprised to find multiple old copies of Flash or Java. Both programs have a history of not removing prior versions when installing new ones.


After getting your house in order, the next question is when to scan again. Fortunately Secunia has a free reminder service. After an inspection, you may see the window below, offering to email you when there is an update to the software supported by OSI. I find these notifications extremely useful. Even if you don't use OSI, you can sign up for update notifications from Secunia.

Secunia reminder service


As useful as it is, and even though I heartily recommend it for all Windows users, OSI is not perfect.

To begin with, all known security flaws are not patched. It can take weeks for some vulnerabilities to get patched. In the interim, Secunia gives the known buggy software a green check. This is because they scan for missing patches. No patch, nothing missing.

I disagree with this philosophy and would much prefer some type of warning about software with known flaws that haven't yet been patched.

Another aspect of scanning only for missing patches is that Secunia does not check for the latest version of software. As they put it in the FAQ:

"Software can be detected by the Secunia Software Inspector as secure, even if the vendor has released a more recent version. This is because vendors release software updates not just to patch vulnerabilities, but also to fix software bugs or introduce software enhancements. These fixes and enhancements may be non-security related (for example, adding new functionality or features). Therefore, prior versions of software can be secure even if they are not the most recent ones, as long as no known vulnerabilities are reported in them."

And, though OSI is great at finding missing patches, it does not install them. Instead, it merely provides links to patched versions of the software.

Finally, as noted earlier, OSI is very limited in the applications it scans. Among the missing, popular applications are the Foxit PDF reader, the VLC media player and IrfanView. And while it checks all the popular web browsers, it does not go so far as to check their installed plug-ins.

Despite its flaws, any computer with a clean bill of health from OSI is more secure than one that fails inspection. Go inspect.