Symantec Control Compliance Suite for Vulnerability Manager (CCS VM) Scans against Microsoft WIndows with Adobe products installed are returning old Adobe versions as vulnerabilities when those Adobe products are not installed

Article:TECH189480  |  Created: 2012-05-23  |  Updated: 2013-08-27  |  Article URL http://www.symantec.com/docs/TECH189480
Article Type
Technical Solution


Environment

Issue



Symantec Control Compliance Suite for Vulnerability Manager (CCS VM) Scans against Microsoft WIndows with Adobe products installed are returning old Adobe versions as vulnerabilities when those Adobe products are not installed.


Error



False positive results for Adobe products and versions


Environment



Redhat Enterprise Linux 5


Cause



The Adobe products install updates with new versions and on occasion it will
relocate its registry entries to a new location. The old registry entries are not
removed. When the CCS VM product does a scan against one of these IP devices
it will look in the registry to find the vulnerability. The old registry values are then
found and flagged as a vulnerability even though it is a false positive.


Solution



There are three possibilities:
1.) Scrub the target IP device of old Adobe registry values.
The file: /opt/Symantec/CCSVM/plugins/java/1/WindowsScanner/1/windows-adobe.clp
contains informations such as:
" (if (eq (call ?j_adobeProductName indexOf "Adobe") 0)
then (bind ?j_adobeVersion (winreg-read-string ?j_service
?jk_productSubKey "DisplayVersion"))
; Product DisplayName
; Adobe Reader 6.x - 9.x: "Adobe Reader 9.4.4"
; Adobe Reader 9.x MUI: "Adobe Reader 9.3.0 MUI"
; Adobe Reader 10: "Adobe Reader X"
; Adobe Reader 10 MUI: "Adobe Reader X MUI"
; Adobe Reader 10.x: "Adobe Reader X (10.0.1)"
; Adobe Reader 10.x MUI: "Adobe Reader X (10.0.1)
MUI"

Which can then be used to help in locating registry entries for older
versions of the product.

2.) Create a scan template that removes older Adobe version checks.

3.) Add exceptions to the results to ignore older Adobe version checks.




Article URL http://www.symantec.com/docs/TECH189480


Terms of use for this information are found in Legal Notices