- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-19-2022 12:55 AM
Hello,
a client has several VIs that have been reopened by the VR System after being Closed so I'd just like to ask about the following scenario that occurred:
- VI is Deferred by a user
- VI is Closed (Substate is Fixed) by VR System
- Detection Last Found is updated
- VI is Opened by VR System (I assume based on the update of the Detection last found date)
And my questions are whether that's how it's supposed to work OOTB? I mean, shouldn't a new Detection record be created instead of updating the old one?
Also, they don't like a Closed VI to be reopened - what is reopening the VIs, I'd say it's the scanner (they use Qualys) but could it be something else?
Thank you in advance, guys.
Patrik
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- 2,417 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-19-2022 04:51 PM
Hey Patrik,
On their own, VR's reaction to each scanner result seem reasonable:
- A VI is Closed when the scanner indicates that it has been remediated
- A Closed VI is reopened when the scanner indicates that the situation exists again
The end result is frustrating, a VI that should be Deferred ends up as Open. This is probably an edge case that will not happen very often but you can request an enhancement if you feel it is warranted.
The code where VR makes the determination on reopening a VI is in Script Include DetectionBase. Basically, if the VI State/Substate is Closed/Fixed or Closed/Stale or Resolved, it is reopened.
Regarding the question of creating a new VI vs. reopening the existing one, you can probably make a case for either option. I think that having all of the detections in one VI may help to keep track of the Close/Reopen cycle and help figure out why it is occurring.
I hope that this helps,
--Joe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-19-2022 04:51 PM
Hey Patrik,
On their own, VR's reaction to each scanner result seem reasonable:
- A VI is Closed when the scanner indicates that it has been remediated
- A Closed VI is reopened when the scanner indicates that the situation exists again
The end result is frustrating, a VI that should be Deferred ends up as Open. This is probably an edge case that will not happen very often but you can request an enhancement if you feel it is warranted.
The code where VR makes the determination on reopening a VI is in Script Include DetectionBase. Basically, if the VI State/Substate is Closed/Fixed or Closed/Stale or Resolved, it is reopened.
Regarding the question of creating a new VI vs. reopening the existing one, you can probably make a case for either option. I think that having all of the detections in one VI may help to keep track of the Close/Reopen cycle and help figure out why it is occurring.
I hope that this helps,
--Joe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-24-2022 10:39 AM
Hi Patrik. We are going through the same issue with Qualys reopening closed VIs. It is very frustrating for the customer.
-Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-02-2022 12:41 PM
We had this issue in December 2021. and then our team had resolved it or atleast found a reasonable explanation. Will check with my team and revert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-11-2023 01:34 AM
Hi Ramesh,
could you provide more info on how your team has resolved this issue?
Any points would be appreciated,
Thankyou