Discovering Unauthorized Applications and Services
The problem
A security team runs a routine audit and finds a remote access tool installed on a developer's machine. No ticket was raised. No approval was given. The tool had been running for months, unpatched and exposing an open port to the internet.
Situations like this are more common than they should be. Employees install software to get work done faster. Developers spin up services during testing and forget to remove them. Contractors leave tools behind after a project ends. None of it goes through IT, and none of it shows up on any approved list. This is Shadow IT, and unauthorized applications are one of its most prevalent forms.
Every application that enters an environment outside of an approval process expands the attack surface. Unpatched software carries vulnerabilities that attackers can exploit. Unapproved remote access tools create entry points that no one is watching. Background services often run with broader permissions than necessary, and without visibility into what is installed, security teams have no way to account for any of it.
Compliance frameworks including PCI DSS, CIS Controls, and NIST SP 800-53 all require organizations to maintain accurate software inventories. Finding unauthorized software is a baseline requirement, not an advanced practice.
The challenge is not creating an approved software list. It is keeping that list accurate as the environment changes.
The Use Case
IT maintains an approved software baseline. On paper, the environment looks controlled. But maintaining that baseline across hundreds of endpoints, over months and years, is harder than it sounds.
New software gets added constantly. Devices change hands. Departments bring in tools without going through IT. And without a way to continuously monitor what is installed and running, the gap between what is approved and what is actually on the network grows quietly over time.
The security team needs continuous asset visibility into every application and service running across managed endpoints. Without it, unauthorized software accumulates and goes undetected until it causes a problem.
Unauthorized software commonly found in enterprise environments includes:
• Peer-to-peer file sharing tools that bypass network controls
• Remote desktop or remote management software installed without IT knowledge
• Databases or web servers running locally on employee machines
• Background processes consuming resources with no clear owner
• Outdated versions of approved software running alongside current ones
How It Is Generally Solved
Organizations typically rely on a combination of the following approaches to track software running in their environments.
• Software asset management (SAM) tools inventory installed applications on managed endpoints by collecting data from operating system software inventories, package managers, or installed program records.
• Endpoint Detection and Response (EDR) platforms monitor process execution and system activity to detect suspicious or malicious behavior, including the execution of unknown applications.
• Network traffic analysis tools monitor outbound and inbound network communications, helping identify connections to external services or destinations that fall outside established policies.
• Procurement controls and user access reviews that try to catch unauthorized software before it gets installed by requiring approval for new tools.
Each of these approaches has meaningful gaps.
• Software asset management tools only see what is installed on managed endpoints. They typically miss browser extensions, SaaS applications, portable executables that do not register with the operating system, and software running on unmanaged devices.
• Similarly, unauthorized services such as locally hosted web servers, database services, or remote management agents can continue running in the background without being captured by standard software inventories, leaving security teams with an incomplete view of their environment.
• EDR platforms observe application activity only after execution and generally have limited visibility into browser-based SaaS applications or unmanaged devices without an installed agent.
• Network traffic analysis can surface connections to external services but cannot reliably identify what application generated the traffic or whether it is authorized.
• Procurement controls only work when people follow them. Shadow IT exists precisely because employees find ways to move forward without waiting for an approval process.
The result is incomplete visibility. Organizations know what they approved, but they often lack a consistent, continuously updated view of everything else running across their environment.
How Saner Solves It
Saner CVEM handles this through its Asset Exposure module, which continuously collects software and service data from lightweight agents deployed on endpoints. Here is how it works.
1. Gain continuous endpoint visibility
Saner agents are installed on managed devices across Windows, macOS, and Linux. Once in place, they run continuous and on-demand asset scans in the background. Security teams always have a live view of what is installed and running across every managed device, without waiting for a scheduled scan or manual review.
2. Build a real-time software inventory
The Asset Exposure module collects a full list of installed applications, their versions, and publishers from every managed endpoint. Teams can view and filter this inventory from a single dashboard. Having this data continuously updated means the inventory reflects the actual state of the environment at any given moment, not a snapshot from last week.
3. Compare software against approved baselines
Inside the Asset Exposure dashboard, teams go to Asset Listing to see every application present in the network. By default, all applications are whitelisted. Teams apply software allowlisting to define which applications are permitted and mark everything outside that list as blacklisted. Application lists can also be uploaded in bulk via CSV. Comparing installed software against an approved baseline makes it straightforward to spot what does not belong.
4. Enforce application control
Blacklisted applications can be blocked via Application and Device Control in Saner's Actions menu. Removal of the application from a device is handled separately through the Saner Endpoint Management tool. Enforcing application control at this level means unauthorized software does not just get flagged; it gets stopped.
5. Correlate unauthorized software with vulnerability data
Discovering unauthorized software is only part of the challenge. Security teams also need to know whether those applications introduce exploitable vulnerabilities. If a blacklisted application contains known CVEs, those findings appear alongside the software record without switching tools. Saner's Risk Prioritization module then evaluates those vulnerabilities using the CISA SSVC framework, categorizing them into Track, Track*, Attend, or Act so security teams can prioritize remediation based on actual risk rather than simply addressing every finding equally.
Security and Operational Benefits
Security teams can identify unauthorized software as soon as it appears, reducing exposure before it becomes a security or compliance issue.
The approved software baseline stays accurate and current. Deviations are visible the moment they occur, not weeks later during an audit. And when a compliance review comes around, the software inventory is already there, continuously maintained, and ready to present.
The attack surface shrinks in a measurable way. Tools that could have served as entry points are found and controlled before they are exploited. Teams spend less time hunting for what is installed and more time acting on what actually matters.