3 Replies Latest reply: Nov 21, 2012 3:38 AM by ritch RSS

    Odd Behaviour from Asset Reports vs Scan Reports


      Hi All.


      Has anyone else come across this rather strange problem?


      I have 2 scans, Scan 1 and Scan 2, both have been run a number of times (2nd October and 16th November).


      When I look at each Scan report I can see that all the high vulnerabilities have gone but when I run an asset report to merge the two scans together I see vulnerabilities from the earlier scans showing up.


      Cheers guys



        • 1. Re: Odd Behaviour from Asset Reports vs Scan Reports

          This may not be your issue, but....

          I have had similar problems when the asset in question has undergone a major upgrade (or replacement) of hardware and/or software.

          The vulnerabilities were present in the old asset version, but are not present in the new asset version.  Another issue could be that MVM's access to the asset (via firewall, or authentication) has changed.  If MVM no longer has access that it used to have, the vulnerabilities will be retained because it 'can't tell' if the vulnerabilities are gone or not.  Looking at the actual vulnerabilities and at older scan reports might give you a clue.

          • 2. Re: Odd Behaviour from Asset Reports vs Scan Reports

            A scan report will show vulnerabilities found during that specific run of the scan.  If credentials changed, the target was not accessible OR for any other reason the target could not be assessed the scripts would likely return as indeterminate.  When you generate an Asset report you will get an overview of the asset with all known vulnerabilities from all scans combined.   Were the vulnerabilities remediated in anyway?  

            • 3. Re: Odd Behaviour from Asset Reports vs Scan Reports

              Thanks for your responses guys


              Doing a bit more digging myself I found that the assets have been scanned by other scans that had subsequently been deleted - there is a kb article that indicates that the vulnerabilities are then orphaned until they are aged out of the database.


              Personally I think this behaviour is a little poor as it limits the use of the Asset reports for tracking progress.