McAfee Vulnerability Manager 7.0.1

Transcription

1 McAfee Vulnerability Manager The McAfee Vulnerability Manager quarterly release brings important functionality to the product without having to wait for the next major release. This technical note contains information about new features since McAfee Vulnerability Manager 7.0. Note: McAfee Vulnerability Manager provides context-sensitive help. For this quarterly release, there are no updates to the online help files. Clicking on a help icon for an existing feature with new functionality will not include information for the new features. What's new The new features for this quarterly release include vulnerability sets, viewing port numbers in reports, and some new configuration manager preferences. Vulnerability sets (page 1) Create a vulnerability set to target which vulnerabilities to scan for and generate reports for. Ports in reports (page 8) For general vulnerabilities and web FSL checks, the port number, service, and protocol are now included in the Vulnerability Details and Vulnerabilities by IP report sections. Configuration manager preferences (page 9) A scan controller configuration tab and a scan engine configuration tab have been added to the configuration manager Preferences dialog box. Using vulnerability sets Create a vulnerability set and add the vulnerabilities that are important to your organization. You can add a vulnerability set to a scan configuration or asset report, modify the vulnerability set, and have those updated vulnerability selections applied to all scan configurations using the vuln set. You can add one vulnerability set to a scan configuration or an asset report template. When adding vulnerabilities to a set, you can select the vulnerabilities from a tree structure, or you can create rules for selecting vulnerabilities.

2 Only organization and workgroup administrators can create vulnerability sets. Administrators above the vulnerability set creator can modify, duplicate, or delete the vulnerability set. Administrators below the set creator can only view or duplicate the vulnerability set. Tree Based Select vulnerabilities from a list of vulnerabilities. View vulnerabilities by type (Display By) or search for them (Search By). Rule Based Select criteria in the rule editor for selecting vulnerabilities. Click Preview Rules to see which vulnerabilities are selected based on your rules. Creating a vulnerability set using the vuln tree Select vulnerabilities from the vuln tree when you want to include specific vulnerabilities in your scan configurations and asset reports. A vuln tree based vulnerability set works the same as the vuln tree in a scan configuration. All vulnerability categories are set to not use new vulnerability checks each time the scan is run. You can modify this using advanced settings so new vulnerability checks are used each time the scan is run. 2 Click Create New. 3 Type a name for the vulnerability set. Typing a description is optional. 4 Select Tree Based for the Type, then click Next. 5 Select vulnerabilities from the tree. You can also use the Display By list or use Search to find vulnerabilities. 6 Click Advanced, then select Run New Checks for any vulnerabilities you want the scan configuration to check for updates on every time the scan is run. 7 Click Save. 2

3 Vuln tree options The following table describes the options available for use in the Vuln Tree. Vulnerability tree options Display by Changes the way the vulnerability checks are displayed on this page: Category - Displays the vulnerability checks in categories. Vulnerability check categories fall into two important categories: Intrusive - these checks are likely to interfere with the host's normal operating behavior. Some intrusive checks can cause a denial-of-service condition or require that the host be restarted. If you enable Intrusive checks, monitor the devices both during and after the scan to ensure they are performing as anticipated. Non-Intrusive - these checks do not affect the host being scanned. MS Number - sorts and categorizes the vulnerability checks according to the Microsoft Security Bulletin numbers. Risk Level - sorts and displays the vulnerability checks according to their risk level: Informational, Low, Medium, and High. CVE - sorts and categorizes the vulnerability checks according to their CVE numbers. Warning: When displaying vulnerability checks by CVE Number or Risk Rating, the intrusive checks and nonintrusive checks are combined. Selecting entire CVE Number or Risk Rating categories will result in selecting a mixture of intrusive and non-intrusive checks. Search by Select the data you want to search on: Name Search through vulnerability check names. CVE Number Search for a specific CVE number Risk Level Select a risk level: High, Medium, Low, or Informational. Enter the criteria you want to search, based on your Search by selection. 3

4 Creating a vulnerability set using rules Create rules when you want to include all vulnerabilities that meet a set of criteria. Rules are evaluated at scan time. New checks are automatically added if they match the rules defined in a rule-based vulnerability set when the scan configuration using this set runs. Note: In Microsoft Internet Explorer, the internet security settings for Internet and Local Internet must be set to default for the rule pop-up window to display. 2 Click Create New. 3 Type a name for the vulnerability set. Typing a description is optional. 4 Select Rule Based for the Type. 5 Click the Rules tab. The rule "Intrusive equals No" is added by default, which means only non-intrusive vulnerability checks will be added to the scan configuration. 6 Click Add Condition or Add Nest Condition. Add Condition Add a condition at the current level in the hierarchy. Add Nested Condition Create a new condition on a new child-level in the hierarchy. Nested conditions share the same operator. 7 Select a condition type from the list. 8 Select criteria for the condition. 9 Click Set Condition. 10 Click Preview to view the vulnerability tree, with the vulnerabilities selected based on the conditions of your rules. 11 Click Save. 4

5 Vuln rule options The following table describes the conditions available for use in the Vuln Set rule editor. Vuln rule options Category CVE Number CWE Intrusive Module MS Number Risk Select an operator (equals or does not equal), then type the category name. As you type the name, a list appears. Select a category from the list or type out the full category name. Select an operator (contains or does not contain), then type a CVE string. This will include or exclude the vulnerabilities associated with the CVE string. Type a CWE and select to include or exclude the vulnerabilities associated with the CWE. Select to include intrusive or non-intrusive vulnerability checks. Select to include or exclude vulnerabilities based on a module (General Vulnerability, Windows Host, Wireless, Shell, or Web). Type an MS number and select to include or exclude vulnerabilities associated with the MS number. Select a risk level and condition to include vulnerabilities that match the condition. Specific Vulnerability Type a vulnerability and select to include or exclude the vulnerability. Vulnerability Name Enter a vulnerability name, and set whether to include or exclude this name. Vulnerability Severity Select the vulnerability severity level(s), and set whether to include or exclude the severity level. 5

6 Modifying a vulnerability set You can add or remove vulnerabilities from a set, and those changes will affect any scan configurations and asset report templates using it. This allows you to quickly modify the vulnerabilities you are scanning and reporting on. You can also change the type, like from tree based to rule based. This allows you to change the vulnerability set for multiple scan configurations and asset report templates in one location. Note: Changing the vulnerability set type erases any vuln tree selections or rules created. 2 Click View/Edit. 3 Select the Vuln Tree tab if the set is Tree Based. Select the Rules tab if the set is Rules Based. 4 Add or remove vulnerabilities (tree based) or rules (rules based) from the set. 5 Click Save. Duplicating a vulnerability set Duplicating a vulnerability set allows you to use an existing set as a starting point, and then modify the set as needed. 2 Click View/Edit. 3 Click Save As. A message appears. 4 Click OK. A duplicate set is created and Copy Of is added to the name. 5 Type a new name for the vulnerability set. Typing a description is optional. 6 Depending on the type, either add vulnerabilities using the Vuln Tree or add rules using the Rules editor. 7 Click Save. Deleting a vulnerability set You can delete vulnerability sets that are no longer needed. Before you can delete a vulnerability set, you must remove it from all scan configurations and asset report templates. 2 Click Delete. A confirmation message appears. 3 Click OK. 6

7 Adding a vulnerability set to a scan configuration After creating a vulnerability set, you can add it to your scan configurations. Create a new scan configuration, or edit an existing one, and go to the Settings tab. There is a radio button that enabled using Vulnerability Sets. Select the option and start typing the name of a vulnerability set. A list of vulnerability sets appears based on what is being typed. This list displays the first 20 matching entries. Select a vulnerability set. If you want to preview which vulnerabilities are included in the vulnerability set, click Preview. The vulnerability tree is updated with the vulnerabilities selected in the set. Note: A set might contain vulnerability checks that require credentialed access to the system being scanned. If necessary, include credentials on the Settings page of a scan configuration. If you want to change the vulnerability set being used, edit the scan configuration and select a different vulnerability set. If you do not want to use the vulnerability set, select Do not use a Vuln Set. You can then select vulnerabilities for the scan configuration. Adding a vulnerability set to an asset report When creating an asset report template, you can include a vulnerability set on the Asset Filter tab and the Sections tab. Adding a vulnerability set on the Asset Filter tab will include the assets that are vulnerable to one or more of the vulnerabilities specified in the set. Adding a vulnerability set on the Sections tab will only include vulnerabilities from the set in the asset report. If you want to change the vulnerability set being used, edit the asset report template and select a different vulnerability set. 1 On the Asset Filter tab for an asset report template, click Add Condition or Add Nested Condition. 2 Select Vulnerability (Vuln Set) from the list. The only operator available is contained in. 3 Type the name of the vulnerability set. As you type, a list of sets appears. You can type the full name of the set or select one from the list. Note: The vulnerability set list displays the first 20 matching entries. 4 Click Set Condition. 5 On the Sections tab, select Vulnerability Assessment. 6 Click Select Vulnerabilities. 7 Select the Vuln Set radio button, then select a vulnerability set. 8 Click OK. 9 Save your asset report template. 7

8 Checking for vulnerability sets in use Before a vulnerability set can be deleted, the set must be removed from any scan configuration or asset report template using it. If a vulnerability set is in use, the Delete button is not available. 2 If the vulnerability set is being used, click Yes under In Use. View the list of scan configurations and asset report template using the vulnerability set. Note: This list only displays scan configurations and asset report templates that you have access to. A warning message displays if there are scan configurations or asset report templates using this set that you do not have access to. Ports in reports For scan reports and asset reports, the Vulns By IP and Vulnerability Details report pages display the port number, protocol, and service name a vulnerability is discovered on. This information will appear in HTML, PDF, XML, and CSV reports. General, Windows, Shell, Wireless, and Web FSL vulnerabilities will display the port, protocol, and service name information. You can search for a port number on the Vulns By IP and Vulnerability Details report pages. The service name and protocol are not searchable. Reports generated before the upgrade will not display the ports. Reports generated from scan configurations run before the upgrade will not display the ports. You must rerun your scan configurations and then generate your reports for the port information to display. Enabling non-standard ports in a scan configuration If you are running services on custom ports, make sure detecting services running on non-standard ports is enabled in the scan configuration and that the proper services are selected. 1 Create a new scan configuration or edit an existing one. 2 Select Services on the Settings tab. 3 Click Advanced Options. 4 Make sure Detect services running on non-standard ports is selected. 5 Select a service under Available Services, then click >> to add it to the Selected Services list. 6 Click Close, then click Save. 8

9 Configuration manager preferences The configuration manager has two new tabs in the Preferences dialog box, the Scan Controller tab and the Scan Engine tab. The scan controller tab allows you to change the maximum number of connections allowed for a scan controller. The scan engines tab allows you to change the amount of time the scan engine will wait for a response before terminating the post operation. Note: When adding a new scan controller or scan engine to an existing McAfee Vulnerability Manager deployment, you must reapply the configuration manager settings for the new components. Specifying scan controller preferences The Max Database Connection Pool value is the maximum number of concurrent connections a scan controller can make to the database. If the server running your database exceeds the minimum system requirements, you can adjust this number to improve product performance. 1 In the configuration manager, select Tools Preferences. 2 Select the Scan Controller tab. 3 Type the maximum number of connections allowed for all connected scan controllers. If a scan controller is offline, this change will not affect that scan controller. Note: Zero is not a valid number for the Max Database Connection Pool. 4 Click Apply. Specifying scan engine preferences You can set the maximum amount of time allowed for a post operation to get a response before it is timed out by the scan engine. There is an initial timeout value and two retry timeout values. 1 In the configuration manager, select Tools Preferences. 2 Select the Scan Engine tab. 3 Type a value for the Initial timeout, First retry, and Second retry. The values must be between one and 600. The first retry value must be greater than the initial timeout, and the second retry value must be greater than the first retry timeout. 4 Click Apply. 9

10 Known issues Known issues in this release of the software are described below: If you are working with McAfee Vulnerability Manager and epolicy Orchestrator, web application assets are not imported into epolicy Orchestrator through Rogue System Detection (RSD). This means users with access to McAfee Vulnerability Manager information but no RSD permissions can still query and view McAfee Vulnerability Manager web application asset information. To restrict access to web application asset information, users should not have McAfee Vulnerability Manager permissions in epolicy Orchestrator. This quarterly release provides updates to the database. Synchronizing data from McAfee Vulnerability Manager to will work. Synchronizing data from McAfee Vulnerability Manager to will not work. Adding a vulnerability set to a Quick Scan configuration causes future Quick Scans to not function properly. 10