I have opened a ticket with McAfee (SR#3-2666770219) but would like to check with other users on their experiences, and also see this implemented in a future version.
I use vuln sets, which contains the rule "Patch Availability equals Patch Available".
What I want is:
"Patch Availability equals Patch Available" OR "Workaround Exists"
Take the case of FID 10588 (one example of many), which is listed as "no patch available".
10558 Microsoft Windows Environment Variable Expansion Library Loading Vulnerability A logic error is present in some versions of Microsoft Windows. Medium "Microsoft Windows is an industry standard operating system.
A logic error is present in some versions of Microsoft Windows. The vulnerability is due to Windows not properly expanding some of the values in the PATH environment variable which can result in unexpanded PATH value being used when loading resources. Successful exploitation could allow an attacker to execute arbitrary code by tricking a user to open files located on remote WebDAV or SMB share.
" CVE-2007-6753 "The vendor has released an advisory describing a workaround that can be used to mitigate this issue.
More information can be found at:
Currently, in vuln sets, I can only choose:
No Patch Available
I want to be able to include in my reports vulns for which there are workarounds, such as 10588. After all, I am interested in securing my environment as much as possible - patch avilable or not.
To me, the solution would be to add a code "4" in the "patched" field of the "content.vuln" table to indicate that there is a workaround available, and a corresponding condition in the vuln sets to query on this.
The repsonse to my ticket was clarification that a patch is a "binary" however that is not my concern. I'm not interested in the semantics of patch vs workaround.
I would like to see the above implemented. The work required by McAfee would be negligible and would help customers be able to identify possible "workarounds" to increase security.
That's good input. I think you will need to go down the Product Enhancment Request (PER) route, since MVM functionality would need to be updated pretty significantly.
You can click on the "submit a feature request" link in the Important Links section of our main page here:
Hi Cathy, I've done that already at the suggestion of tech support. I submitted a different PER in November and that's not been reviewed yet. Do you know how often these are looked at?
I reached out to the MVM Product Manager (Darren Thomas), and he said he's talking to another Joe regarding this exact thing - is that you??
As far as "how often these are looked at" from what I understand PERs are looked at as they come into the system, they are then incorporated into planning discussions for upcoming patch and feature releases. As discussions around these releases progress the PER's are updated accordingly.
I hope that helps!
Hi Cathy, yes I've communicated with Darrin. He got my old (November) PER submission looked at, but the one I submitted for this issue hasn't been looked at.
I'm not sure the PER's are looked at quite that frequently.
I also received some invitation to a "product advisory council" that I'm not sure has anything to do with this, or if it's something else.
I appreciate the follow-up - very much. Mvm is a good product, but a couple of relatively simple improvements could make it fantastic.