Risk Automation Suite is reporting false positives from the OVAL content

Article:TECH176546  |  Created: 2011-12-08  |  Updated: 2012-09-05  |  Article URL http://www.symantec.com/docs/TECH176546
Article Type
Technical Solution


Environment

Issue



Risk Automation Suite is reporting false positives from the OVAL content


Solution



Gather and provide the following information to support:

1.       Vulnerability title
2.       Vulnerability CVE id
3.       OVAL ID and version
4.       Operating System: type, version, platform, SP level
5.       RAS version
6.       PolicyEvaluator log (debug version) for the affected host(s)
 
Steps for generating PE log in debug:
 
1.       Verify the total OVAL content updates. If it’s not, please install the latest updates before proceeding to the next step. Restart IIS if new content was imported manually
2.       Verify if the false positive is present
3.       Perform a configuration scan for one of the affected hosts (same one from the step 2)
4.       Rename the current PE log
5.       Run from the command prompt:
          Policyevaluator.exe -d -analyzenow -host  <Host_ID>
6.       Verify if the false positive is still present
7.       Compress and send support the Policy Evaluator log
After providing this the false positive will be analyzed and updated content may be provided.

Here are the steps to apply the content fix if one is provided:

1.      Verify the total OVAL content updates. If the number of OVAL updates is not current, please install the latest updates before proceeding to the next step.
2.      Verify the false positive is still present
3.      If the false positive is still present import the corrected OVAL file from support
4.      Restart IIS
5.      Perform a configuration scan for one of the affected hosts (use the same one from step 2)
6.      Rename the current PE log
7.      Run the following from the command prompt:
         Policyevaluator.exe -d -analyzenow -host  <Host_ID>
8.      If the false positive is still present compress and send the PE log to support
 




Article URL http://www.symantec.com/docs/TECH176546


Terms of use for this information are found in Legal Notices