In Tenable, detection of few plugins require paranoid mode to be enabled.
It allows a user to specify whether or not we should only report vulnerabilities with a high level of confidence, or be a little more paranoid and flag a system if there is possibility they are or could be vulnerable. It can lead to potential false positives but can give a larger view of their cyber exposure.
Generally, when paranoid mode is enabled, number of vulnerabilities detected will increase. Following are the few reasons:
1. Backported patches are ignored: When applications are backported by package maintainers, the version displayed when installing through a package manager may differ than a package downloaded directly from a vendor. When Paranoid Mode is enabled, backported patches will not be considered, resulting in a false positive for the 'missing' patch.
2. Some plugins (depending on how the detection is performed) may only have version information to work with, and not specific configuration information about the host. Often a vulnerability may only exist if a specific configuration is enabled and if the plugin cannot gather this info, paranoid mode is used. A common example of this is Cisco configurations noted in their advisories. In these instances you may see a false positive.
3. When a plugin is performing a direct check against a host, such as directly exploiting a certain vulnerability, this could lead to potential false positives due to the nature of the vulnerability. For example if we have to rely on an HTTP response header to determine if an exploit was successful, this could lead to a false positive for an unaffected device, or an IDS/IPS/Firewall could alter the response.
Please refer below URLs for more details:
https://community.tenable.com/s/article/How-to-know-when-a-plugin-is-made-paranoid
https://community.tenable.com/s/article/Which-plugins-require-the-paranoia-setting
Happy Learning !!
No comments:
Post a Comment