Detecting VPN Software on the System

Modified on Tue, 30 Sep at 3:36 PM

VPN (Virtual Private Network) applications can provide encrypted tunnels for network traffic, but when installed without authorization, they pose security and compliance risks. Unauthorized VPNs can:

  • Bypass corporate firewalls and monitoring solutions.
  • Enable unmonitored data transfers.
  • Provide attackers a potential entry or exit channel.


The Saner CVEM platform helps administrators detect, analyze, and block VPN software across enterprise devices.


Detecting VPN Software

Saner CVEM continuously monitors endpoints and raises Posture Anomalies when VPN applications are found.

Steps to Detect:

  1. Navigate to the Posture Anomaly (PA) Dashboard.
  2. Locate the anomaly PA-2022-1058 – VPN Software is installed.
    • This rule triggers whenever known VPN packages are detected on endpoints.
  3. Review the Summary Section:
    • OS family with the most anomalies (e.g., Unix).
    • Group with the most anomalies (e.g., Ubuntu).
    • Operating System version with the highest anomalies (e.g., Ubuntu 24.04).
  4. Check Posture Anomaly by Device:
    • Lists affected hostnames, OS family, and anomaly counts.
    • Example: support (Unix) – 3 anomalies, node6-standard-pc-i440fx… (Unix) – 3 anomalies.
  5. Check Posture Anomaly by Incidence:
    • Lists specific VPN applications detected.
    • Example:
      • network-manager-openvpn – 2 devices
      • network-manager-openvpn-gnome – 2 devices
      • openvpn – 2 devices
  6. Use Group, Family, OS dashboards to visualize spread across environments.

2. Investigating the Risk

After detection:

  • Validate if the VPN is corporate-approved or unauthorized.
  • Check if VPN usage is violating compliance policies.
  • Investigate which teams or users installed the VPN.
  • Assess if the VPN poses a risk of data leakage or policy evasion.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article