6 Replies Latest reply on Feb 20, 2015 12:11 PM by John M Sopp

    What is your experience with false positives

      I have been using Foundstone for a while but there are a number of scan alerts for missing patches which my Infrastructure team say are installed. There are a number of patches for 2009 (MS09-062 is the latest) but also some going back to MS08, 07 and even right back to MS02.

      I intend to raise these with McAfee support in a week or so (after the INFRA team review the latest scan), but I would like to ask the Community about their experiences in regard to false positives. We patch our desktops using Altiris.

        • 1. Re: What is your experience with false positives
          jhaynes

          I might not be the part of the community you are looking for a response from since I work for support but I will give you some of my insight.

           

          One of the more common issues we see in support is that a patch management system will say a patch installed but the vulnerable file still exists on the target system. Most patch management systems look in the registry to see which patches have been installed but MVM doesn't do that. We look at the actual file version to see if the vulnerable file exists or not. One of the things you can do is look up witch files should have been replaced by the patch and confirm you really have the correct version.

           

          It’s always possible that you really have a false positive. If that’s the case support will be able to help you gather the FSDiag information we need to correct the issue. In general once we have the diagnostic information there is less than a 10 day turn around on a false positive. The key is getting the diagnostic information in as soon as possible.

           

          Jeff Haynes

          MVM Tier 3 Support

          • 2. Re: What is your experience with false positives

            Hello,

             

            Is there a way such false positives could be tagged ?

            • 3. Re: What is your experience with false positives
              jhaynes

              I'm not sure what you mean by tagged. Can you give me an example of what or where I would see this tagging? Once I have a better understanding of the question I'll try and give you an answer.

               

              Jeff Haynes

              msudhindra wrote:

               

              Hello,

               

              Is there a way such false positives could be tagged ?

              • 4. Re: What is your experience with false positives

                Hi msudhindra,

                 

                If you're using the Remediation Module within' Foundstone, you can flag the vulnerability as False Positive.  An Administrator would "Acknowledge" the False Positive, and it will no longer show up in the scans or on the reports. No new tickets are created for "False Positive Acknowledged" vulnerabilities.

                 

                You're also able to report on False Positives by running a False Positive report.

                 

                I hope that helps,

                Cathy

                • 5. Re: What is your experience with false positives
                  jamorales

                  Hi Jhanynes

                   

                  Our team and our System Admin wants to verify if the said vulnerability is a "false positive" in which the said vulnerability falls on a Windows Operating System.

                   

                  Our System Admin tried to look or research for any possibility that can remediate the vulnerability but no good. Now we believe that the said vulnerability falls on Linux/Unix Operating system. For now, we just want your expertise to verify this vulnerability if we can declare it as a "false positive".

                   

                  Thanks,

                  Jeoff

                  • 6. Re: What is your experience with false positives
                    John M Sopp

                    If it is a missing microsoft patch, it is likely that either the patches didn't apply correctly or the files were overwritten by (something) thus changing the related file versions.

                    (also may be superseded ,but applying the most recent patch for the issue should fix all prior).

                    I recommend you check the FSL output to see why it is triggering as vulnerable.
                    Cross check this information with the OVAL definition and if there is a discrepancy, run FSDIAG and report to support as jhaynes mentioned.


                    OVAL has done wonders for us in filtering out actual false positives vs vulnerabilities.

                     

                    Bottom line: File Versions matter!