cancel
Showing results for 
Search instead for 
Did you mean: 
vfguy11
Level 9
Report Inappropriate Content
Message 1 of 10

scan with an old selection?

Hello,

If I scan a machine on 1/1/13, and I want to use the EXACT same list of vulnerabilities when I scan again on 2/1/13, how can I do that, given that there have been multiple vulnerabilitty updates?

What I'm trying to accomplish is validating that items have been remediated, without new vulnerabilities being included, or vulnerabilities for which there are now patches, but didn't exist on 1/1/13.

Thanks.

Joe.

9 Replies
cgrim
Level 13
Report Inappropriate Content
Message 2 of 10

Re: scan with an old selection?

Hi Joe,

Turning off the option in the Scan Config  > Vuln Selection to "Run New Checks" should get you what you need.  Run new Checks is ON I think for most default Scan Templates.  Maybe use a Vulnerability Set - that option is OFF I think by default on Vuln Sets.

Other options - some customers turn off FSL content Updates until after they run their "Validation" type scans.

I hope that helps!
Cathy

vfguy11
Level 9
Report Inappropriate Content
Message 3 of 10

Re: scan with an old selection?

Hi Cathy,

Thanks for the info.

I use the same vuln set for all my scans and have done 100+ scans since the one I want to validate was run.

If I try to preview the vuln set, the advanced option is greyed-out, so I can't.  When I then select "do not use a vuln set", i can access the advanced section and all "run new checks" are disabled (not checked).  HoweverI don't understand what impact that has because I never use the preview when I run a scan.  My understanding is that it would apply all the rules at run-time and include all fsl scripts that are loaded.  Is that not correct?

The dates I used in my original question were just hypothetical.  In reality, the scan I want to validate is 4 months old.

I see that there is a field in the dbo.hosts table "ConfigurationID".  Would that give me any info from another table that would give me a vuln set or something I could work with?

Another option is I could use the csv files in the documents section of this site to weed-out new vulns since the original scans.  I've downloaded all the csv files, but can you tell me if they are compilations of many updates?  For example, there were FSL updates on 2/4, 2/8 and 2/12, but there is only one csv file for february in the documents section (report-csv-2013-02-12_23-11-46.csv).  I would do the leg-work to import all these files into a table and add a "date" field so I could do a query to eliminate them, but I need  to know how the csv files are put together.  Any insight you have would be appreciated.

Thanks again.
Joe.

Re: scan with an old selection?

Cathy, I agree with Joe!

A compiled list would be very very helpful!

cgrim
Level 13
Report Inappropriate Content
Message 5 of 10

Re: scan with an old selection?

Joe - you can get a Database Schema if you want it.  You need to open an SR for tracking purposes...  The lower Tiers know the process and can get one to you pretty quickly.

vfguy11
Level 9
Report Inappropriate Content
Message 6 of 10

Re: scan with an old selection?

Thanks Cathy, I will do that, but that doesn't address getting a compiled list of updates, or csv files older than 1/1/13.  Or am I misunderstanding?

Thanks.

cgrim
Level 13
Report Inappropriate Content
Message 7 of 10

Re: scan with an old selection?

Hi Joe,

No you're right... it doesn't.  Nor is a list like that something maintained or easily obtainable thru MVM.  I'm sure like you've discussed there are ways to pull that information.  They keep me far too busy with my day job for me to come up with a solution for you over the Community site however.  Product Enhancement Request?

-Cathy

vfguy11
Level 9
Report Inappropriate Content
Message 8 of 10

Re: scan with an old selection?

PER?  They haven't acknowledged my 1/9 submission yet.  What's the definition of insanity????  😉

I compiled what's been released so far this year and will just keep my own list.  Believe it or not, I would need them going back to June, 2012 for this specific issue.

Thanks.

Joe.

vfguy11
Level 9
Report Inappropriate Content
Message 9 of 10

Re: scan with an old selection?

Hi Cathy, one more question.  The csv files that contain the new/updated/deleted items seem to be disappearing off the documents section.  I downloaded files for 1/3 & 1/9, but they're gone now.  Are they being archived somewhere, or am I just not seeing something?

Thanks.

Highlighted
cgrim
Level 13
Report Inappropriate Content
Message 10 of 10

Re: scan with an old selection?

Hi Joe,

No, you're right.  They get removed after about a month.  We're not going to host them here forever, so in the future  you should plan to get them as they're posted.

Did you need some specific ones?  Email me which ones  (cathy_grim@mcafee.com) and I will send them to you.

Thanks!
Cathy

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community