2 Replies Latest reply on Sep 17, 2012 2:43 PM by Moniker

    How to schedule or filter non-Windows scans fairly for patch admins that are working within a regular patch cycle.

      Hi everyone, I’m looking for suggestions on how to setup myscans so that they are fair on our admins responsible for patching our servers.

       

      My issue is mainly with HP-UX scanning, but is applicable to Linux servers and Oracle patches as well.

       

      Facts about my scenario:

       

      1. HP-UX patches are not released on a regular basis like Microsoft’s patch Tuesday patches.

       

      2. Many HP-UX admins are only able to patch systems on a 1month, 3month or 6month patch cycle due to business contraints and patch bundles.

       

      3. The MVM scanner updates its vulnerability check faslscripts on “when available basis”

       

       

      So as an example, if I scan a HP-UX server at the start of the month and allow a 30 day window for the patch admin to fix any vulnerabilities found during that start of the month scan. When I scan that same server again at the 30 day mark, even if the admin successfully patches all the vulnerabilities I had initially found the foundscore still won’t be 100 because there will most likely have been one or two new HP-UX vulnerabilities that get automatically included in my second scan but that the admin has not had a chance to patch yet.

       

      If the vuln sets included a rule expression based on the time the vulnerability check was released by mcafee, I probably wouldn’t be having this problem but that type of rule expression doesn’t exist.

       

      So I’m hoping some of you out there may have encountered the same type of issue and came up with a way to deal with it that I haven’t stumbled upon yet.

       

       

      Thanks!

        • 1. Re: How to schedule or filter non-Windows scans fairly for patch admins that are working within a regular patch cycle.
          John M Sopp

          You could create a vuln set and uncheck updating for the vulns selected, this way the admins arent chasing a moving target and you can show measured progresss based on the static vuln set.

           

          on 9/11/12 12:18:19 PM EDT
          1 of 1 people found this helpful
          • 2. Re: How to schedule or filter non-Windows scans fairly for patch admins that are working within a regular patch cycle.

            Hi John, thanks and I appreciate you taking the time to submit a suggestion. Unfortunately, doing it this way avoids the use of vuln sets and would force me to manually select the vuln filters to apply and continually revisit them. I was hoping for a way to accomplish this using vuln sets and the benefits that come with them.

             

            Also, McAfee mentioned in their pdf about the new features MVM 7.0 that the use of vuln filters would be removed from MVM in a coming release, so I don't want to develop a process I will not be able to continue to rely on into the near future.

             

            Here's an excerpt from their pdf about vuln filters - pdf called "What's new in MVM 701.pdf"

             

            Many customers have attempted to use the “Vulnerability

            Filter” feature to fill some of these needs. That feature

            can be completely replaced by the vulnerability set

            feature and we do plan on removing the vulnerability filter

            feature entirely in our next major release. If you have

            vulnerability filters in use today, please begin to move

            them to the vulnerability set feature. You will quickly

            begin to see the power of vulnerability sets compared to

            the old filter concept.

             

            For the time being, I guess I will submit a Feature enhancement request to introduce a rule expression for vuln sets that would allow me to filter out vulnerability checks based on the time/date the check was released by mcafee.