According to the company's website, ManageEngine, an external vulnerability aggregator, draws vulnerability information from various security sources through email and RSS feeds. Patch information is vetted and correlated into a vulnerability database. This database is published to clients in an effort to keep the database at the client end current. All scanning, patching and reporting is done by the Security Manager Plus at the client end. Agents are deployed to address systems that are behind firewalls or where configuration settings on a remote machine do not allow direct interrogation and remediation.
Product features include vulnerability scanning, open port detection, hardware and software inventory, Windows users and groups, scheduling and scan automation, patch management (includes specific Linux distributions), trouble-ticket mail generation, Windows change management, audit reports, PCI DSS compliance, CVE cross-reference and the vulnerability database.
The tool is often installed on Windows Servers and does not require the installation of any other third-party software for Windows (installation on Linux requires Samba-TNG to be installed additionally). It has been validated to run under a number of Windows systems, as well as Red Hat Linux, Debian, CentOS and open Suse. For our evaluation, Zoho provided a CD for installing the product. The install went smoothly and configuration took minutes to complete and a scan was initiated. ManageEngine found all 11 test systems.
The system has a clean graphic dashboard that we used to look up support documentation, including the community website. The admin tab provided a dashboard for managing settings and an array of other functions. Email reporting was configured and CVE vulnerability reports were produced.
PCI reports were generated through automated reporting. The risk and correction functions were easy to use and provided some easy remediation recommendations. Finally, change management tickets were created and processed. Overall, the product performed well.
Documentation included web-based assistance, including installation and user instructions, FAQs, troubleshooting tips, a document library, tutorials, user forums and more.
Basic no-fee support provides 24/5 telephone and email assistance for the evaluation period. Fee-based options are covered in the product cost for the first year. During subsequent years, fees cost 20 per cent of the licence fee.
We found that as an entry-level vulnerability management system, the value provided by this tool is good for its cost.
For the price, this is a strong entry-level tool for small organisations