The inability to purge "unremediated" vulnerabilities is causing previously detected vulnerabilities to not be cleared when a newer patch addressing that vulnerability is applied. This is causing machines to report vulnerabilities that do not exist. For example I use the non-superceded vuln sets for Adobe and Microsoft. A machine is found to be missing an IE patch. The next month a cumulative patch for IE is released that supersedes the previous patch. The previous patch is removed from the vuln set, and even though the cumulative patch is applied the machine will still report the previous vulnerability until it is scanned for again, which won't happen if we're only scanning for non-superseded patches. These just build and build over time and it's creating a lot of reporting issues for us, particular with trending.
MVM seems to be severly lacking overall in the patch supersedence area. I shouldn't have to create special scans to go look for vulnerabilities that have been remediated by a newer patch. Seems like the only resolution is to scan for every patch every time which would mean scans would be running 24/7/365. Unless I'm missing something....and I really hope I am. I would very much like to be wrong about this. My boss is ready to fork lift MVM for a different product.
I would agree, and I have not found a good solution either. I have opened a few tickets in the past, only to go down the rabbit hole. On the one had mcafee will tell you that MVM is not a patch scanner, it's a VA scanner that scans for missing patches. But MVM is full of false positives in how it scans for patches. If one .dll file does not have the correct date, MVM says the patch is not applied, when every other scanner will tell you it is. They really need to change how their engine looks for patches and supports patches being superseded.