3 Replies Latest reply: Dec 6, 2012 12:54 PM by craig.carrigan RSS

    MVM 7.5 Scan Summary report inaccurate

    craig.carrigan

      I have have Installed MVM 7.5 and have it running on new servers next to my MVM 7.0. I was very unhappy to see the Scan Summary from MVM 7.0 go away, But, I have learned to like the new summary as pictured below

      MVM1.PNG

       

      My Managment logs into the MVM and looks around at scan summaries now and then, and I use this as part of a summary report I make for distribution to Admins.

       

      There seems to be an issue with the reporting in this summary.

       

      This summary is of a weekly scan I have been running for a couple months. As you can see if shows 7 High Vulnerabilities found when it ran this morning.

       

      The full HTML report Shows 1 High Vulnerability from the last scan

       

      MVM2.PNG

       

      The only place that there are 7 High Vulnerabilities in this scan is in the Ticketing Database

      , But they are all Either Accepted Flase Positives or Closed, except for the new one discovered and assigned a ticket this morning.

       

      MVM3.PNG

       

      MVM 7.0 would not report vulnerabilities if they were false positive acknowledged in the old Summary.

       

      Is there a way this can be fixed. This summary has become very useful, but it does not seem to be reporting accurate data, or I am broken.. I am hoping it is not me :-)

        • 1. Re: MVM 7.5 Scan Summary report inaccurate
          John M Sopp

          We have seen a simliar issue, but the root cause of ours is that IP addresses from other hosts are being associated with one asset. None of these hosts are related, and it appears to be a major bug. We have an SR open to get some insight, determine root cause, and lobby for a fix.

          • 2. Re: MVM 7.5 Scan Summary report inaccurate

            Hi Craig,

             

            I want to be sure I understand your issue...

             

            You're concerned because the Scan Status Summary (pictured above) shows 7 High Risk Vulns.

            After the scan completes and goes thru all the post processing, MVM determines 6 of those Vulns were Remediated somehow (False Positive Ack and/or Closed), and the HTML Report displays the *Correct* info.

            So, everything other than the Scan Status is as you would expect/want?

             

            If my understanding above is correct, then this is by design, and I don't anticipate the behavior can or will be changed without a major product redesign.  The Scan Status displays the information as it's received by the Engine, and before we do any reconciliation of IPs/Assets/etc. (in your case False Positive Ack).

             

            So, it's not broken... just not as you'd expect.

             

            Have you ever submitted a Product Enhancement Request?  Now might be a good time to do it.  You can submit it for both issues:

            1.  Want/need to get the Scan Summary option back into the GUI

            2.  Want the Scan Status to get updated after end of job processing

             

            You can get to the PER site from either of these links:


            Or: https://community.mcafee.com/groups/mvm-news click on the Submit Feature Request button

            Or directly at: https://mcafee.acceptondemand.com/index.jsp?path=/login-external.jsp

             

            I hope that helps!
            Cathy

            • 3. Re: MVM 7.5 Scan Summary report inaccurate
              craig.carrigan

              Hello Cathy,

               

              First, thank you to you and John for trying to Answer my Question. I am not trying to sound Nit Picky, but in past versions of MVM, the Dashboard looked like this

               

              Dashboard_7.0.PNG

               

              If I clicked the magnifying glass next to any of the found vulnerabilities I would get the summary report

               

              Summary_7.0.PNG

               

              If I were to expand this I would see all vulnerabilities that had open tickets and any new vulnerabilities with a ( NEW ) next too them, as well as a section for any that were Auto Closed due to being remediated.

               

              Any Tickets that were marked as False Positive still were not in this summary.

               

              I have scans that have over 500 devices in some cases, and this summary was very useful to me for a lot of reasons. Aside from the fact that managment logged in and looked at it. All they see is HIGH vulnerabilities, and the PDF's are very Large, if they process at all from the size

               

              Did this information also come directly from the scan engines, or was it after post processing?

               

              I have not submitted a ticket for Product Enhancement, But If what your saying is correct, then I may and see how that goes.

               

              Thank You Both again for your responses.