Hi Darren,
Thanks for the follow-up and re-cap of the current handling of patch status.
We're filtering for things in the recommendation section as I outlined above, however there are a couple of typos that make it not completely reliable.
I look forward to hearing from you!
Thanks again.
Joe.
Thanks for replying Darren. As you can probably understand, it's very messy for all of us to create a "fix type' field using the recommendation field and is tough to maintain at a reliable level due to lack of consistency in wording. I also have the same challenge determining security impact type(remote code exec, info disclosure, etc) as we are required to produce metrics on that data as well.
Back to the "fix type" field. We determine this value in excel. I'm sharing with you and the rest of the community just in case anyone needs some more ideas on how to be decently accurate and to aslo clarifiy what we are looking for.
Our possible values for this field are:
Configuration Change |
No Fix/Unknown |
Patch or Configuration Change |
Patch |
To determine this field we have two other fields..one to determine if there is a patch, and one to determine if there is a config change.
Where Cell AJ5 is the recommendation text
:Patch
=IF(COUNT(SEARCH({"not aware of a patch","patch is not applicable","patch is not yet available","unaware of any vendor-supplied patch","unaware of any fix ","unware of any vendor supplied patch","not aware of a vendor-supplied patch","not aware of a vendor supplied patch","unware of any vendor-supplied patch","not aware of any patches","not provide a patch"," unaware of a vendor-supplied patch"},AJ5)),"N",IF(COUNT(SEARCH({"a fix that can be applied","Security updates available","has provided a patch","has supplied a patch","driver update","has released an update","has issued patch","Fix Pack","Vendor updates are available","vendor has made an update available","Bulletin/MS","Download the patch","has provided patching","patch is available","has provided patch","released patches","has patched this flaw","resolves this issue"},AJ5)),"Y",IF(COUNT(SEARCH({"has released the update","oracle.com/technetwork","has released a patch","apache.org/dist/apr/","Updating to version","made updates available","vendor has made patches","issued a patch","install the latest patch","vulnerability is fixed","has released the updated version","ibm.com/aix/efixes","vmware.com/security/advisories","Download the latest version","upgrade","Update Apache","Update to","Update Sun","Download the lastest","Download version","recommends upgrading","Update OpenSSL","Update Wireshark","install the latest version","Update JBoss","wireshark.org/download","Patches for this issue can be downloaded"},AJ5)),"Y","N")))
:Config
=IF(COUNT(SEARCH({"no available workaround"},AJ5)),"N",IF(COUNT(SEARCH({"recommended to remove","workaround","steps","instructions","configuration","Disable","configuring","password","Registry edit"},AJ5)),"Y","N"))
Our fix type field uses the following logic:
If Config=No,Patch=No then No Fix/Unknown
if Config =No,Patch=Yes then Patch or Configuration Change
If Config=Yes,Patch=No then Configuration Change
If Config=Yes,Patch=Yes then Patch
Overall I believe that the mcafee scanning side of product works pretty well.
If you add some fields as recommended, you can save myself and your other customers alot of time paining through excel,access, or scripting to show the results we need appropriately.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA