The vulnerabilities with unknown status are known as orphan vulnerabilities. So the question is why we cannot know the status of such vulnerabilities ?
Suppose you ran an authenticated scan against a server. Some vulnerabilities were detected which required authentication. Now, if because of some reason you discontinue to run authenticated scans then the scanner has no way to know whether the vulnerabilities detected in previous scan still exist or not. So, even if you remediate these vulnerabilities they will still exist in the database. The only way would be to manually purge the asset data or run authenticated scan once again. Even if an agent is installed on the server still the vulnerabilities will exist in the database (because VM solutions track data collected by a scanning appliance and an agent separately).If you are scanning the same server with agent as well then the following action can be taken (in case of Rapid7 InsightVM):
You can enable complementary scanning (i.e. Scanner will skip authenticated checks wherever agent is installed).
Please refer below URLs for more details:
In case of Rapid7:
https://docs.rapid7.com/insightvm/using-the-insight-agent-with-insightvm/
In case of Qualys:
https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/host_assets/agent_merge_data.htm
Happy Learning !!
No comments:
Post a Comment