The uselessness of online scan tools

There's a number of sites that offers "online vulnerability scans", to check your computer for open ports and "stealth." I bet they get lots of traffic, and they probably manage to get someone to buy their product to replace whatever is already in use.

Make no mistake, these scans offered by companies who are selling personal (desktop) firewall are using these scans as a marketing tool. They tell you how vulnerable you are, and that you must buy their products to protect yourself from the evils of the Internet.

These online scans are only good for one thing: seeing how your firewall logs port scans! Everything else you can find out on your own on your computer. These tools simply tries to connect to your computer on a set of given ports, and tell you the status. You can test this yourself on your own computer using the netstat command that comes with all flavors of Windows and Linux.

"netstat -an" on a Windows computer will list all active ports, including those in a listening state and UDP ports in listening state. Other computers can only connect to ports that are in a listening state. A typical output on a Windows computer would look something like this:

 TCP 0.0.0.0:135              0.0.0.0:0            LISTENING
 TCP 0.0.0.0:445              0.0.0.0:0            LISTENING
 TCP 0.0.0.0:1025             0.0.0.0:0            LISTENING
 TCP 0.0.0.0:1033             0.0.0.0:0            LISTENING
 TCP 192.168.0.10:139         0.0.0.0:0            LISTENING
 TCP 192.168.0.10:3031        192.168.0.11:22      ESTABLISHED
 UDP 0.0.0.0:135              *:*
 UDP 0.0.0.0:445              *:*
 UDP 192.168.0.10:137         *:*
 UDP 192.168.0.10:138         *:*

You'll probably see a number of other entries as well, most are harmless. If you do have a trojan installed, it would show up in a listening state (unless they've managed to replace the netstat command).

On a Linux box, the typical output of "netstat -tunap" would be something like this:

 tcp  0  0 0.0.0.0:22       0.0.0.0:*         LISTEN       529/sshd
 tcp  0  0 0.0.0.0:25       0.0.0.0:*         LISTEN       11520/sendmail
 tcp  0  0 127.0.0.1:53     0.0.0.0:*         LISTEN       512/named
 tcp  0  0 0.0.0.0:110      0.0.0.0:*         LISTEN       543/xinetd
 tcp 88  0 192.168.0.11:22  192.168.0.10:3031 ESTABLISHED  6628/sshd
 udp  0  0 0.0.0.0:514      0.0.0.0:*                      19433/syslogd
 udp  0  0 127.0.0.1:53     0.0.0.0:*                      512/named

You'll see a whole bunch of others as well, depending on what services you are running. This output conveniently lists the program that's listening on a port, with the exception of POP3, which is listed as xinetd. Again, unless someone has managed to replace the netstat command, this will list every port that is open for connections.

Unless the port is listed in the above outputs, no computer can connect to your computer on that port. Since the online scan tools does nothing but report what netstat has already determined, spending 20-40 minutes waiting for a scan to complete, is a waste of time and effort. Again, it's only useful to see how your firewall reports these scan attempts.