Sentinel: Difference between full and partial vulnerability scan.

  • 3075515
  • 03-Nov-2006
  • 26-Apr-2012

Environment

Microsoft Windows Server 2003 Standard Edition
Microsoft Windows 2000 Server
RedHat Linux
Solaris 9
Sentinel 5.1.x

Situation

Difference between full and partial vulnerability scan.

Resolution

The FULL and PARTIAL scan settings have only to do with how vulnerabilities are automatically expired in the Database.

FULL – Assumes all ports on a particular IP Address were scanned, but does not assume that all IP Addresses were scanned.

PARITAL – Assumes that only some ports on a particular IP Address were scanned. This also does not assume that all IP Addresses were scanned.

If the scan is a FULL scan, all vulnerabilities currently associated with an IP Address that is present in that scan data that do not match vulnerabilities in the current scan are expired (the END_EFFECTIVE_DATE column in the VULN table is set to the scan date). Matching vulnerabilities are updated with the data in the current scan’s vulnerability. New vulnerabilities are added and the resource is saved.

If the scan is a PARTIAL scan, the back end identifies all the port-protocol combinations that were scanned. It then expires all vulnerabilities for port-protocols that were scanned that do not match vulnerabilities in the current scan. Matching vulnerabilities are updated with the data in current scan’s vulnerability. New vulnerabilities are added and the resource is saved.

Uploading scan data will only expire vulnerabilities in the Database that are associated with the same SCANNER_INSTANCE that is set for the scan data currently being uploaded. The SCANNER_INSTANCE is a parameter of the Agent.

Scan #1

The vulnerabilities reported in this scan:

IP

Port

Protocol

Vuln Id

10.0.0.1

80

TCP

A

10.0.0.1

80

TCP

B

10.0.0.1

21

TCP

C

10.0.0.2

80

TCP

A

The state of the vulnerabilities in the database after uploading the scan (FULL or PARTIAL, it doesn’t matter because there exist no vulnerabilities to expire):

IP

Port

Protocol

Vuln Id

Expired?

10.0.0.1

80

TCP

A

No

10.0.0.1

80

TCP

B

No

10.0.0.1

21

TCP

C

No

10.0.0.2

80

TCP

A

No

Scan #2

The vulnerabilities reported in this scan:

IP

Port

Protocol

Vuln Id

10.0.0.1

80

TCP

A

10.0.0.1

21

TCP

C

10.0.0.3

80

TCP

A

10.0.0.2

21

TCP

C

The state of the vulnerabilities in the database after uploading the scan (if Scan #2 was set to be a FULL scan case):

IP

Port

Protocol

Vuln Id

Expired?

10.0.0.1

80

TCP

A

No

10.0.0.1

80

TCP

B

Yes

10.0.0.1

21

TCP

C

No

10.0.0.2

80

TCP

A

Yes

10.0.0.2

21

TCP

C

No

10.0.0.3

80

TCP

A

No

The state of the vulnerabilities in the database after uploading the scan (if Scan #2 was set to be a PARTIAL scan case):

IP

Port

Protocol

Vuln Id

Expired?

10.0.0.1

80

TCP

A

No

10.0.0.1

80

TCP

B

Yes

10.0.0.1

21

TCP

C

No

10.0.0.2

80

TCP

A

No

10.0.0.2

21

TCP

C

No

10.0.0.3

80

TCP

A

No

After Scan #2, the vulnerability A on 10.0.0.2 port 80 is not expired in the PARTIAL scan case because Scan #2 contained no data on 10.0.0.2 port 80. It was expired in the FULL scan case, because there was data on some port of 10.0.0.2, and since FULL scan assumes you scanned all ports on a particular IP, it will assume that vulnerability A on 10.0.0.2 port 80 no longer exists.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.