Local device security evidence without turning it into an EDR
Scantide Local Device Check reviews the Windows machine where it runs. It collects endpoint posture evidence, installed-software CVE review leads, local exposure indicators and practical remediation notes in an HTML report.
Local device scan coverage
A local device scan is not the same as a LAN scan. LAN scans look outward at reachable hosts. Local Device Check looks inward at the endpoint.
System and identity
Computer, user context, OS/build, hardware, boot time, admin scope and scan completeness.
Security posture
Firewall, AV/EDR, Defender visibility, updates, UAC, SMB/RDP, BitLocker, Secure Boot/TPM and Windows baseline signals.
Software CVE review
Installed software is normalized and queried against Scantide CVE intelligence. Results are review leads, not automatic proof of exposure.
Local exposure
Listening TCP ports, shares, printers, remote management, proxy/VPN indicators and port-helper explanations.
Device traces
USB storage, ghost devices, Wi-Fi profiles, browser posture and certificate stores.
Operational review
Risky firewall rules, scheduled tasks, writable services, PATH hijack candidates, credential exposure checks and recent event log errors.
Basic, Advanced and CVE Watch modes
| Mode | Best for | Command |
|---|---|---|
| Basic | Fast endpoint posture evidence with common checks. | .\ScantideLocalCheck.ps1 -CheckLevel Basic |
| Advanced | Deep local review with browser, certificates, device, audit, remote access and hardening checks. | .\ScantideLocalCheck.ps1 -CheckLevel Advanced |
| CVE Watch | Small scheduled installed-software CVE review only. | .\ScantideLocalCheck.ps1 -Mode CveWatch -UseSavedScantideCredentials -CveParallelism 8 -ToastOnSuccess |
Scheduled CVE-only Local Watch
Local Watch is intentionally narrow: it checks installed software against Scantide CVE intelligence and can notify on High/Critical review leads. It does not run the full local report.
At user logon
Uses Task Scheduler COM with an interactive current-user token, matching the normal “When I log on” task model.
.\Install-ScantideLocalWatch.ps1 -AtLogon $trueDaily at a time
Use a daily trigger when you prefer a predictable run time.
.\Install-ScantideLocalWatch.ps1 -AtLogon $false -Daily $true -RunAt "09:00"Clean removal
Deletes the logon task, daily task and generated ProgramData runner files.
.\Remove-ScantideLocalWatch.ps1 -RemoveProgramData-CveParallelism 8 and -ToastOnSuccess.
Windows Credential Manager support
Version 3.5.166 fixes the Launcher credential helper scope issue. The helper functions are loaded into a persistent runspace scope before Save/update calls them.
Scantide API key
Store the API key without writing it into command lines or reports.
ServiceNow / CMDB
Reuse saved ServiceNow instance and credentials when comparing scanned assets against CMDB entries.
Local Watch reuse
The CVE-only watch can use saved Scantide credentials for scheduled background review.
View anonymized Local Device report
The anonymized report keeps the real structure: summary cards, tabs, quick filters, installed-software CVE review, endpoint posture, event log errors, certificates, listening ports and remediation guidance — without exposing real hostnames, usernames, serials, IP addresses or organization details.
Good for publishing and demos
- Shows what a Local Device Check report looks like.
- Explains why review leads are not the same as confirmed vulnerabilities.
- Shows Basic/Advanced endpoint posture evidence in a realistic format.
- Can be linked from landing pages, manuals and sales discussions.
For network-wide examples, use the separate Auditor internal survey report.
Network survey exampleDownload Local Device Check files
$dest = Join-Path $env:USERPROFILE 'Downloads\ScantideAuditor'
New-Item -ItemType Directory -Path $dest -Force | Out-Null
$base = 'https://www.scantide.com/helpfiles'
$files = @(
@{ Name = 'ScantideLocalCheck.ps1'; Url = "$base/ScantideLocalCheck.ps1" },
@{ Name = 'Install-ScantideLocalWatch.ps1'; Url = "$base/Install-ScantideLocalWatch.ps1" },
@{ Name = 'Remove-ScantideLocalWatch.ps1'; Url = "$base/Remove-ScantideLocalWatch.ps1" },
@{ Name = 'ScantideCredentialManager.ps1'; Url = "$base/ScantideCredentialManager.ps1" }
)
foreach ($file in $files) {
$target = Join-Path $dest $file.Name
Write-Host "Downloading $($file.Name)..." -ForegroundColor Cyan
Invoke-WebRequest -Uri $file.Url -OutFile $target -UseBasicParsing -TimeoutSec 45
Unblock-File -LiteralPath $target -ErrorAction SilentlyContinue
}
Write-Host ""
Write-Host "Downloaded Scantide Local Device Check files to: $dest" -ForegroundColor Green
Write-Host "Examples:" -ForegroundColor Yellow
Write-Host " cd `"$dest`""
Write-Host " .\ScantideLocalCheck.ps1 -CheckLevel Basic"
Write-Host " .\ScantideLocalCheck.ps1 -CheckLevel Advanced"
Write-Host " .\Install-ScantideLocalWatch.ps1 -AtLogon $true"
Write-Host " .\Install-ScantideLocalWatch.ps1 -AtLogon $false -Daily $true -RunAt `"09:00`""
How this fits with Auditor PowerShell
Internal network scan
Use ScantideLAN.ps1 for reachable hosts, ports, banners, TLS/web evidence and CMDB comparison.
Open Auditor PowerShellManual
Use the main manual for Launcher tabs, scan profiles, radio discovery, list files and LAN reports.
Open Auditor manual