Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2025 Views 7 Replies Latest reply: Apr 18, 2012 6:37 AM by montrealpaul RSS
John M Sopp The Place at McAfee Member 88 posts since
Nov 17, 2009
Currently Being Moderated

Jan 27, 2012 1:11 PM

How do you do it: Reporting Vulns with Patches available vs vulns without patches available

Just curious how everyone out there would accomplish the following:

 

Taking all vulnerabilities [from a scan or set of scans] and tagging each as "Fixable by patch" or  "Not fixable by patch"

"Fixable by patch" should include vulns which are patch-able, and have patches available that remediate the issue

"Not fixable by patch" should include vulns which need patches for which patches have not been released, workaround available, and no available fix.

 

I have already tried these three methods with results given:

Method 1: Keyword filtering all results

"Not fixable by patch" = a vuln with Recommendation having one or more of the following phrases-unaware of*patch*,*not aware of*patch*,*not aware of*update*,*unaware of*update*,*has not provide*patch*,*future security update*

Else Tag as "Fixable by patch

 

Result: So far most accurate, Must keep up with maintenance of future keywords

 

Method 2: Asset report based on rule based vuln set using CVSS Remediation Level

Generate an asset report based with rule  CVSS Remediation Level contains RL:ND,RL:T,RL:W,RL:U

Copy out the MVID's and do a compare against vulns.

 

Result: Moderate accuracy. Report output still contains vulns which a vendor has released a fix...for example: upgrading a version of adobe svg viewer

 

 

Method 3: Asset report based on rule based vuln set using "Patch Availability"

 

Generate an asset report based with rule  Patch Availability = No patch available

Copy out the MVID's and do a compare against vulns.

 

Result: least accuracy. Report output still contains vulns which a vendor has released a fix...for example: upgrading a version of adobe svg viewer. In one instance the generated list of vulns even contained vulns with "Install the patch from Microsoft" in the remediation field.

 

Curious how to be accuracte with a metric like this leveraging what is available to us in MVM.

 

Message was edited by: john.m.sopp on 1/27/12 2:11:14 PM EST

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points