The inability to purge "unremediated" vulnerabilities is causing previously detected vulnerabilities to not be cleared when a newer patch addressing that vulnerability is applied. This is causing machines to report vulnerabilities that do not exist. For example I use the non-superceded vuln sets for Adobe and Microsoft. A machine is found to be missing an IE patch. The next month a cumulative patch for IE is released that supersedes the previous patch. The previous patch is removed from the vuln set, and even though the cumulative patch is applied the machine will still report the previous vulnerability until it is scanned for again, which won't happen if we're only scanning for non-superseded patches. These just build and build over time and it's creating a lot of reporting issues for us, particular with trending.
MVM seems to be severly lacking overall in the patch supersedence area. I shouldn't have to create special scans to go look for vulnerabilities that have been remediated by a newer patch. Seems like the only resolution is to scan for every patch every time which would mean scans would be running 24/7/365. Unless I'm missing something....and I really hope I am. I would very much like to be wrong about this. My boss is ready to fork lift MVM for a different product.