We have already said what a baseline scan is in attack surface analyzer. A product scan is the scan that you would run on attack surface analyzer after the baseline scan. A product scan is needed after the baseline scan. The baseline scan will read the initial system configurations before the software was installed. The product scan will read the system configuration after the software is installed.
Microsoft recommends that you run a product scan with various configuration combinations from within the application which you are testing because that would help you understand how the different configurations and changes in preferences and options within an application can change the attack surface of the operating system by changing the ACLs, Registry keys etc.
At the very base, both the baseline scans as well as the product scan are the same. They would both read the same system settings. The reason why one is called baseline and the other as product is purely logical and has nothing to do with what parts of the system are scanned. The logic here is “to compare the configurations, you must have at least 2 configurations”. The baseline scan collects the state of the system before the changes are made and the product scan collects the state of the system after it.
Product scans in Attack Surface Analyzer are required for creating the report. Also, it is important to remember and understand that you must not run both scans before installing the software or after installing it. Also, you will have to run a separate scan for every analysis. Attack surface analyzer cannot tell you the ‘possibility’ factor of how much the software you install ‘can’ change the attack surface. Hence, you must run a new scan after altering the preference settings of your application. You can compare any two scans if you have named them differently and understand when one scan was created and when was another created. This not only allows you to find the attack surface changes between the plain system and the system after product installation but also allows you to see what changes are made when the preference settings are changed from within the application (or product). It is great because you would be able to change the part of the application only (for developers) or you can disable a particular module if enabling it changes the system config to expose a vulnerability.