Symantec Control Compliance Suite for Vulnerability Manager (CCS VM) Scans against Microsoft WIndows with Adobe products installed are returning old Adobe versions as vulnerabilities when those Adobe products are not installed
|Article:TECH189480|||||Created: 2012-05-23|||||Updated: 2013-08-27|||||Article URL http://www.symantec.com/docs/TECH189480|
Symantec Control Compliance Suite for Vulnerability Manager (CCS VM) Scans against Microsoft WIndows with Adobe products installed are returning old Adobe versions as vulnerabilities when those Adobe products are not installed.
False positive results for Adobe products and versions
Redhat Enterprise Linux 5
The Adobe products install updates with new versions and on occasion it will
relocate its registry entries to a new location. The old registry entries are not
removed. When the CCS VM product does a scan against one of these IP devices
it will look in the registry to find the vulnerability. The old registry values are then
found and flagged as a vulnerability even though it is a false positive.
There are three possibilities:
1.) Scrub the target IP device of old Adobe registry values.
The file: /opt/Symantec/CCSVM/plugins/java/1/WindowsScanner/1/windows-adobe.clp
contains informations such as:
" (if (eq (call ?j_adobeProductName indexOf "Adobe") 0)
then (bind ?j_adobeVersion (winreg-read-string ?j_service
; Product DisplayName
; Adobe Reader 6.x - 9.x: "Adobe Reader 9.4.4"
; Adobe Reader 9.x MUI: "Adobe Reader 9.3.0 MUI"
; Adobe Reader 10: "Adobe Reader X"
; Adobe Reader 10 MUI: "Adobe Reader X MUI"
; Adobe Reader 10.x: "Adobe Reader X (10.0.1)"
; Adobe Reader 10.x MUI: "Adobe Reader X (10.0.1)
Which can then be used to help in locating registry entries for older
versions of the product.
2.) Create a scan template that removes older Adobe version checks.
3.) Add exceptions to the results to ignore older Adobe version checks.
Article URL http://www.symantec.com/docs/TECH189480