5 Replies Latest reply: Oct 12, 2017 10:28 AM by coyote10a RSS

What is the difference between remediation scan and remediation scan?

claudiab Apprentice

What is the difference between remediation scan and remediation scan?

 

in the vulnerability analysis overview i have got some vulnerabilities which are already patched. But they dont disappears, no matter how often i start the scan again and again.

In the vulnerability detail i see they are "last observed" more than 10 days.

 

In one case Security Center listed 40-60 affected Hosts on 1 plugin (103131) !!

 

Now i tried following things:

- I updated all Nessus Scanners and Security center to the latest version

 

- I create a remediation scan from the vulnerability summary on this plugin at a asset-Group (OR al list of IPs), chose the same port (or Default ports), same repository, credantials -> scan result -> everything is fine

- I looked at the Analysis -> vulnerabilities are still there -> "last observed" more than 10 days.

 

- I created a remediation scan with this plugin DIRECTLY from the Detail view on ONE host, added credentials  -> scan result -> everything is fine

- I looked at the Analysis -> vulnerabilities from THIS ONE HOST is mitigated

 

Now I ask myself: What is the difference between this two types of remediation scans?

I want to clean the old vulnerabilities, but i dont want sit down and create manual 100 remediation scans. (arghh!!)

 

Have somebody an idea what could the reason for this different behaviour of remediation scans

and how could i create a scan which found and mitigated all the old stuff.

 

Many thanks !

Claudia

  • Re: What is the difference between remediation scan and remediation scan?
    futrick Apprentice

    If you have scan results for this host in multiple Repositories you may have set up your remediation scan to dump its results into one Import Repository but you're reviewing the results from another.

     

    I'd suggest filtering on the IP in the Vuln Analysis interface and use the IP Summary Tool to check which Repo's it pops up in.
    If you're not seeing a Repo column click the Options button and tweak the View Settings to include it.

    While you're there make sure you're viewing the Cumulative Results.
    ...if "Switch to Cumulative" is a choice then you're probably just viewing the results from an individual scan.

    • Re: What is the difference between remediation scan and remediation scan?
      claudiab Apprentice

      Thank you Damian,

      but the "repos" thing is the first one i checked, We have one repo i use for every scan, and is it all inside the same repo.

      And I know the difference between Cumulative results and Scan results.

      I have described the problem in the upper part.


      thank you

      Claudia

      • Re: What is the difference between remediation scan and remediation scan?
        futrick Apprentice

        Indeed you did. Sorry I missed that.

         

        One thing I've noticed that can cause some inconsistencies is if you've changed the Reporting Level in the  Scan Policy you're using from the default (Normal) to something that reports more false positives like Paranoid.
        I'm pretty sure that the Remediation Scans launched from the Vuln Analysis interface (via the Vuln Summary Detail tool) use the default Reporting Level (normal) so they'd clear Plugins that a more "paranoid" scan policy would hold on to.

        • Re: What is the difference between remediation scan and remediation scan?
          claudiab Apprentice

          Thank you for your hint. I compared all the Scan-Policies, and all are working in normal mode (and the two Point under this are disabled).

          Until now this works very fine, the Vulnerability view had the same content like reality and how I want it.

           

          It seems to affect only a Special Group of windows-Server (asset Group).

          Because of this i think in an other way. i think the scan before 2 weeks on this asset Group had a Problem and produced crap. This could happen and ist not a Katastrophe.

           

          But now I want to clean this vulnerabilities. And I could not use the remediation scan from the Vulnerabilitiy summary (one scan on all effected hostst).

          i have to perform ONE Remediation scan AT every HOST individually.


          Today I created about 150 individual remediation Scans, and this works (the patched vulnerabilities dissapears).

          Now I have a right arm like Popeye


          My question at the beginning was:

          how are the two types of remediation scans distinguished by their working way. There must be a difference.