9 Replies Latest reply: Feb 21, 2013 11:53 AM by cgrim RSS

    scan with an old selection?

    vfguy11

      Hello,

       

      If I scan a machine on 1/1/13, and I want to use the EXACT same list of vulnerabilities when I scan again on 2/1/13, how can I do that, given that there have been multiple vulnerabilitty updates?

       

      What I'm trying to accomplish is validating that items have been remediated, without new vulnerabilities being included, or vulnerabilities for which there are now patches, but didn't exist on 1/1/13.

       

      Thanks.

      Joe.

        • 1. Re: scan with an old selection?

          Hi Joe,

           

          Turning off the option in the Scan Config  > Vuln Selection to "Run New Checks" should get you what you need.  Run new Checks is ON I think for most default Scan Templates.  Maybe use a Vulnerability Set - that option is OFF I think by default on Vuln Sets.

           

          Other options - some customers turn off FSL content Updates until after they run their "Validation" type scans.

           

          I hope that helps!
          Cathy

          • 2. Re: scan with an old selection?
            vfguy11

            Hi Cathy,

             

            Thanks for the info.

             

            I use the same vuln set for all my scans and have done 100+ scans since the one I want to validate was run.

             

            If I try to preview the vuln set, the advanced option is greyed-out, so I can't.  When I then select "do not use a vuln set", i can access the advanced section and all "run new checks" are disabled (not checked).  HoweverI don't understand what impact that has because I never use the preview when I run a scan.  My understanding is that it would apply all the rules at run-time and include all fsl scripts that are loaded.  Is that not correct?

             

            The dates I used in my original question were just hypothetical.  In reality, the scan I want to validate is 4 months old.

             

            I see that there is a field in the dbo.hosts table "ConfigurationID".  Would that give me any info from another table that would give me a vuln set or something I could work with?

             

            Another option is I could use the csv files in the documents section of this site to weed-out new vulns since the original scans.  I've downloaded all the csv files, but can you tell me if they are compilations of many updates?  For example, there were FSL updates on 2/4, 2/8 and 2/12, but there is only one csv file for february in the documents section (report-csv-2013-02-12_23-11-46.csv).  I would do the leg-work to import all these files into a table and add a "date" field so I could do a query to eliminate them, but I need  to know how the csv files are put together.  Any insight you have would be appreciated.

             

            Thanks again.
            Joe.

            • 3. Re: scan with an old selection?
              John M Sopp

              Cathy, I agree with Joe!

              A compiled list would be very very helpful!

              • 4. Re: scan with an old selection?

                Joe - you can get a Database Schema if you want it.  You need to open an SR for tracking purposes...  The lower Tiers know the process and can get one to you pretty quickly.

                • 5. Re: scan with an old selection?
                  vfguy11

                  Thanks Cathy, I will do that, but that doesn't address getting a compiled list of updates, or csv files older than 1/1/13.  Or am I misunderstanding?

                   

                  Thanks.

                  • 6. Re: scan with an old selection?

                    Hi Joe,

                     

                    No you're right... it doesn't.  Nor is a list like that something maintained or easily obtainable thru MVM.  I'm sure like you've discussed there are ways to pull that information.  They keep me far too busy with my day job for me to come up with a solution for you over the Community site however.  Product Enhancement Request?

                     

                    -Cathy

                    • 7. Re: scan with an old selection?
                      vfguy11

                      PER?  They haven't acknowledged my 1/9 submission yet.  What's the definition of insanity????  ;-)

                       

                      I compiled what's been released so far this year and will just keep my own list.  Believe it or not, I would need them going back to June, 2012 for this specific issue.

                       

                      Thanks.

                      Joe.

                      • 8. Re: scan with an old selection?
                        vfguy11

                        Hi Cathy, one more question.  The csv files that contain the new/updated/deleted items seem to be disappearing off the documents section.  I downloaded files for 1/3 & 1/9, but they're gone now.  Are they being archived somewhere, or am I just not seeing something?

                         

                        Thanks.

                        • 9. Re: scan with an old selection?

                          Hi Joe,

                           

                          No, you're right.  They get removed after about a month.  We're not going to host them here forever, so in the future  you should plan to get them as they're posted.

                           

                          Did you need some specific ones?  Email me which ones  (cathy_grim@mcafee.com) and I will send them to you.

                           

                          Thanks!
                          Cathy