AZScan has a way to go to become a world-class vulnerability assessment tool – the product is not intuitive. First, one needs to know quite a bit about the product being audited. Second, there is no online help or tool tips. Third, the menu choices don’t always behave as expected. Set-up seems easy at first, but details often don’t work.
This product is a basic host audit tool. However, instead of testing on the host, you need to download the applicable files (password, directory listing and so on) and analyze them offline. This is a bit inefficient, because the downloads must be performed prior to each new test in order to ensure that the tests are being applied to the current configuration of the computer under audit. However, this approach does allow the system to be tested without impacting its performance as testing is done offline.
AZScan is intended for use on large Unix, AS400 and OpenVMS computers. These are likely to have a very large directory structure, and AZScan is the type of tool that will ferret out the configuration-based vulnerabilities in such systems.
The product offers a lot of information and a large number of tests. But it is very difficult to understand, partly because it offers so much information. Its presentation of the information is extensive, and the most useful parts of the presentation are specific to the audience (such as graphical for managers and executives, and very detailed for engineers).
In fairness, AZScan is a very ambitious product. Conducting the myriad of audit tests that the product performs is nowhere near as difficult as presenting the results in a useful manner. We found that it performed the tests competently, but we were disappointed with the reporting and ease of use.
Documentation is nearly non-existent and support has to come from the U.K. For all that, it is good value for the money once the user becomes familiar with it, gets it properly configured and becomes conversant with its reporting. In terms of host-based audit tools, AZScan is competent, if not spectacular.
For: Detailed analysis of AS400, Unix and OpenVMS. Low cost of ownership.
Offline analysis so does not impact host being tested.
Against: Virtually no documentation, no U.S.-based support, non-intuitive and some functions do not behave as expected. Offline analysis requires creation and download of the files containing the data to be audited.
Verdict: Competent open systems auditing tool, but with some notable shortcomings.