McAfee Preventsys 2.7 Product Guide

Transcription

Product Guide
McAfee Preventsys Risk Analyzer and
Compliance Auditor
version 2.7
McAfee®
Network Protection
Industry-leading vulnerability detection and remediation solutions
COPYRIGHT
Copyright © 2007 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any
means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED
N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD,
INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE
VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, PREVENTSYS,
SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN,
WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other
countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the
sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH
SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF
LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT
ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE
ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT
AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE
PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes the distribution of third-party or open source code, which may be subject to the terms of different license agreements. Refer to the
oss_licensing.txt file included with this product distribution.
Contents
Chapter 1 Welcome to Preventsys
9
Contacting Technical Support ............................................................................. 10
Chapter 2 Getting Started
11
The Basics .......................................................................................................... 11
About Preventsys System Components............................................................. 13
Configuring Your Web Browser.......................................................................... 14
Using Certificates from Third-Party CAs ............................................................. 21
Generate a Key Pair and CSR Using Java Keytool ....................................... 21
Import an Existing Private Key..................................................................... 21
Generate Key Pairs Using OpenSSL............................................................ 22
Importing Certificates .................................................................................. 23
Accessing the Preventsys Administrative Client ................................................ 23
Configuring the Web Session Timeout............................................................... 25
Configuring the Threat Feed Manager Proxy ...................................................... 26
Navigating Preventsys ........................................................................................ 26
Main Menu .................................................................................................. 26
Pagination Controls ..................................................................................... 26
Table Sorting ............................................................................................... 27
Saving as PDF ............................................................................................. 27
Version and Node Information..................................................................... 27
Reporting Errors ................................................................................................. 28
Chapter 3 Assessment Servers
30
Managing Assessment Servers.......................................................................... 31
Adding Assessment Servers ....................................................................... 31
Editing Assessment Servers ....................................................................... 32
Disabling and Enabling Assessment Servers............................................... 32
Deleting Assessment Servers ..................................................................... 33
Managing Instance Configurations ..................................................................... 33
Affinity and Weight...................................................................................... 33
Adding Instance Configurations................................................................... 35
Editing Instance Configurations................................................................... 36
Deleting Instance Configurations ................................................................ 37
Chapter 4 User Authentication
38
Local and Remote Authentication....................................................................... 38
Connecting to an Active Directory Server.................................................... 38
i
McAfee Preventsys Risk Analyzer and Compliance Auditor
Contents
Chapter 5 User Authorization
40
About the Super User Group and Preventsys User ............................................ 41
Managing Groups ............................................................................................... 41
Content Inheritance ..................................................................................... 41
About Resources and Permission ............................................................... 43
Adding Groups............................................................................................. 55
Editing Groups............................................................................................. 56
Deleting Groups .......................................................................................... 56
Adding and Removing Users from Groups .................................................. 56
Managing Users ................................................................................................. 57
About Passwords ........................................................................................ 59
Adding Local User Accounts ....................................................................... 59
Adding Remote User Accounts ................................................................... 60
Editing User Accounts ................................................................................. 62
Deleting User Accounts............................................................................... 63
Editing Your User Information ..................................................................... 63
Chapter 6 Assets and Networks
65
Managing Assets................................................................................................ 65
Declared verses Discovered Asset Data ..................................................... 66
Adding an asset........................................................................................... 67
Editing an asset ........................................................................................... 68
Deleting an Asset ........................................................................................ 69
Managing Host Properties .................................................................................. 69
Adding a Host Property ............................................................................... 71
Editing a Host Property................................................................................ 71
Deleting a Host property ............................................................................. 72
Managing Services ............................................................................................. 72
Adding a Service.......................................................................................... 76
Editing a Service.......................................................................................... 76
Deleting a Service ....................................................................................... 77
Managing Exclusion Lists ................................................................................... 77
Adding an Exclusion List.............................................................................. 78
Making an Exclusion List Global .................................................................. 79
Editing an Exclusion List.............................................................................. 80
Deleting an Exclusion List ........................................................................... 81
Managing Networks ........................................................................................... 81
Network Hierarchy ...................................................................................... 82
Network Properties ..................................................................................... 82
Network Group Auto-Create Option ............................................................ 82
Time Windows ............................................................................................ 83
Adding a Network........................................................................................ 84
Editing a Network........................................................................................ 85
Deleting a Network ..................................................................................... 85
Managing Network Properties............................................................................ 86
Adding a Network Property ......................................................................... 87
Deleting a Network Property ....................................................................... 88
Managing Network Groups................................................................................. 88
Adding a Network Group ............................................................................. 89
Editing a Network Group ............................................................................. 90
ii
Contents
Deleting a Network Group........................................................................... 90
Importing Asset and Network Data Files ............................................................ 91
Supported File Formats ............................................................................... 91
Importing Multiple Files............................................................................... 92
Data Creation and Modification ................................................................... 92
Importing Using the Administrative Client................................................... 97
Importing with the Import Utility ............................................................... 100
Importing ePO Asset and Network Data .......................................................... 101
Installing the ePO Extractor....................................................................... 102
Planning For Extraction.............................................................................. 106
Data Selection ........................................................................................... 107
ePO Extractor Options............................................................................... 108
Running the ePO Extractor........................................................................ 114
ePO Extractor Usage Scenarios ................................................................ 115
Chapter 7 Policies and Rules
117
Configuring Your System for Policy Analysis .................................................... 117
Initial Rule Setup ....................................................................................... 118
Managing PDL Rules ........................................................................................ 118
Deactivating a PDL Rule ............................................................................ 120
Managing Policies............................................................................................. 120
Viewing Policy Details ............................................................................... 121
Viewing Policy Source Documents............................................................ 122
Deactivating a Policy ................................................................................. 123
Importing and Exporting Custom Policies......................................................... 123
Importing a Policy...................................................................................... 124
Exporting a Policy ...................................................................................... 125
Updating the Policy Library ............................................................................... 125
Chapter 8 Assessments and Connectors
128
The Basics ........................................................................................................ 129
Supported Command and Control Connectors ................................................. 130
Managing Connector Configurations ................................................................ 130
Adding a Connector Configuration............................................................. 131
Editing a Connector Configuration............................................................. 132
Deleting a Connector Configuration .......................................................... 133
Managing Assessment Configurations............................................................. 133
Adding an Assessment Configuration ....................................................... 134
Editing an Assessment Configuration ....................................................... 136
Deleting an Assessment Configuration ..................................................... 136
Managing Assessment Schedules ................................................................... 137
Adding an Assessment Schedule.............................................................. 138
Editing an Assessment Schedule .............................................................. 140
Deleting an Assessment Schedule............................................................ 140
Managing Assessments ................................................................................... 140
Viewing Assessment Details..................................................................... 141
Pausing and Resuming an Assessment .................................................... 143
Canceling an Assessment ......................................................................... 144
Hiding and Un-hiding Assessment Statuses.............................................. 144
Deleting Assessments .............................................................................. 144
Understanding the Assessment Lifecycle ........................................................ 146
iii
Contents
Network Assessment................................................................................ 147
Fact Indexing ............................................................................................. 147
Analysis ..................................................................................................... 147
Understanding Assessment Status .................................................................. 150
About Partial Results ................................................................................. 151
Importing External Assessment Data ............................................................... 151
Understanding Import Sources and Types ................................................ 151
Supported Sources for Import ................................................................... 153
Additional Import Setup Criteria ................................................................ 154
Determine File Import Order ..................................................................... 154
Specifying an Override Date...................................................................... 154
How Imported Data is Merged and Analyzed............................................ 155
Importing from the Preventsys Administrative Client................................ 156
Importing from the Command Line ........................................................... 158
Viewing the Status of an Import................................................................ 162
Re-Analyzing Assessment Results ................................................................... 162
Re-Analyzing an Assessment's Results..................................................... 163
Viewing the Status of a Re-Analyzed Assessment .................................... 164
Chapter 9 Remediations
165
About the Remediation Lifecycle and Workflows............................................. 165
Remediation Status Lifecycle .................................................................... 166
Remediation Workflow Example ............................................................... 167
Assigning Remediation Tasks........................................................................... 169
About Severity........................................................................................... 170
About Priority............................................................................................. 170
About Due Date and Criticality .................................................................. 170
Assigning or Reassigning a Remediation task ........................................... 172
Bulk Assignment ....................................................................................... 173
Filtering Remediation Tasks ...................................................................... 173
Viewing Different Columns of Data........................................................... 175
Viewing Details about a Remediation ........................................................ 176
Verifying Remediation Tasks ..................................................................... 178
Working with Assignment Rules ...................................................................... 180
Creating an Assignment Rule .................................................................... 180
Editing an Assignment Rule ...................................................................... 182
Ordering Assignment Rules ...................................................................... 182
Deleting an Assignment Rule .................................................................... 182
Updating Remediation Tasks ............................................................................ 183
Updating the Status of a Remediation Task .............................................. 184
Violation Coalescing .................................................................................. 185
Managing External Remediation Systems ........................................................ 185
Adding an External Remediation System .................................................. 186
Editing an External Remediation System................................................... 188
Deleting an External Remediation System ................................................ 188
Managing External Remediation Users ............................................................ 188
Adding an External Remediation User ....................................................... 189
Associating an External Remediation User with a Preventsys User .......... 191
Editing an External Remediation User ....................................................... 192
Deleting an External Remediation User..................................................... 193
Managing External Patch Management Systems............................................. 193
About Automated Patching ....................................................................... 193
Configuring the Hercules Server ............................................................... 194
iv
Contents
Installing the Hercules Web Service API ................................................... 197
Configuring the Patch Management System............................................. 199
Sending Requests to a Patch Management System ................................. 201
Chapter 10 Manual Audit Tasks
203
Managing Manual Audit Tasks.......................................................................... 205
Adding a Manual Audit Task ...................................................................... 206
Editing a Manual Audit Task ...................................................................... 208
Deleting Manual Audit Tasks..................................................................... 209
Updating Manual Audit Tasks ........................................................................... 209
Updating the Status of a Manual Audit Task ............................................. 210
Manual Audit Task Email Notifications ...................................................... 210
Managing Manual Audit Task Recipient Groups ............................................... 210
Adding a Recipient Group.......................................................................... 211
Editing a Recipient Group .......................................................................... 212
Deleting a Recipient Group........................................................................ 212
Understanding Manual Audit Task Rules and Policy Violations......................... 213
Verification of Manual Audit Task Policy Violations ................................... 214
Chapter 11 Security Risk Dashboard
215
Working with the Enterprise Console............................................................... 217
Working with the Exposure Console ................................................................ 218
Working with the Compliance Console ............................................................ 220
Working with the Threat Console ..................................................................... 220
Viewing the Latest Threat Alerts ............................................................... 221
Viewing the Top Threat Alerts ................................................................... 221
Viewing All Threat Alerts ........................................................................... 221
How Threat Alerts Affect Remediation Tasks ........................................... 222
How Severity Is Adjusted By Threat Alerts ............................................... 223
Filtering the List of All Threat Alerts .......................................................... 223
Viewing Different Columns of Data for All Threat Alerts ........................... 225
Viewing Details about a Threat Alert ......................................................... 225
Viewing Assets Details.............................................................................. 230
Working with the Remediation Console ........................................................... 231
Latest Tasks .............................................................................................. 231
My Tasks ................................................................................................... 232
Working with the Assessment Console ........................................................... 232
Managing Enterprise Groups ............................................................................ 233
Creating an Enterprise Group .................................................................... 234
Editing an Enterprise Group....................................................................... 235
Activating and Deactivating an Enterprise Group ...................................... 236
Chapter 12 Reports
237
Report Types .................................................................................................... 237
Working with the Report Filter ......................................................................... 239
System Default for the Report Context Filter ............................................ 240
Modifying the Report Context Filter .......................................................... 241
How Preventsys Calculates Compliance .......................................................... 242
Compliance Formulas ................................................................................ 243
Navigating Between Reports............................................................................ 244
v
Contents
Filtering Reports by Asset ................................................................................ 244
Viewing Reports ............................................................................................... 245
Executive Summary Report....................................................................... 245
Enterprise Group Summary Report ........................................................... 249
Administrator Overview............................................................................. 251
Network Group Reports ............................................................................ 252
Network Report......................................................................................... 255
Asset Report ............................................................................................. 257
Chronological View Report ........................................................................ 264
Operating System Report.......................................................................... 264
Task Reports ............................................................................................. 267
Task Recipient Report ............................................................................... 273
Compliance Overview Report.................................................................... 277
Comparative Compliance Report............................................................... 277
Exposure Overview Report ....................................................................... 279
Services Report ......................................................................................... 281
Saving Reports ................................................................................................. 282
Publishing a Report ................................................................................... 282
Viewing Published Reports........................................................................ 283
Deleting Published Reports ....................................................................... 284
Chapter 13 System Updates
285
Downloading an Update ................................................................................... 285
Uploading and Applying an Update................................................................... 285
About Maintenance Mode......................................................................... 286
Update Failure ........................................................................................... 287
Rolling Back an Update..................................................................................... 287
Appendix A Instance Configurations
289
Third-Party Connector Instance Configurations ................................................ 289
AlterPoint Instance Configurations ................................................................... 290
AppDetective Instance Configurations ............................................................. 291
Configuresoft Instance Configurations ............................................................. 292
DARC Instance Configurations ......................................................................... 293
Retina Instance Configurations......................................................................... 295
FoundScan Instance Configurations ................................................................. 296
To configure FoundScan engines .............................................................. 296
About FoundScan Certificates ................................................................... 298
ISS Internet Scanner Instance Configurations .................................................. 300
ISS SiteProtector Instance Configurations........................................................ 302
MBSA Instance Configurations......................................................................... 303
Nessus Instance Configurations ....................................................................... 304
Nessus Certificate-Based Authentication Mode........................................ 305
Network Architecture Assessor Instance Configurations ................................. 306
Nmap Instance Configurations ......................................................................... 308
ScanAlert Instance Configurations.................................................................... 308
Windows Registry Instance Configurations...................................................... 309
Installation and Configuration .................................................................... 310
QualysGuard Instance Configurations .............................................................. 311
vi
Contents
Appendix B Connector Configurations
313
Updating Scanner Plugins................................................................................. 313
AlterPoint Connector Configurations ................................................................ 314
AppDetective Connector Configurations .......................................................... 315
Configuresoft Connector Configurations .......................................................... 316
FoundScan Connector Configurations .............................................................. 317
ISS Internet Scanner Connector Configurations ............................................... 318
ISS SiteProtector Connector Configurations..................................................... 319
MBSA Connector Configurations...................................................................... 319
Nessus Connector Configurations .................................................................... 320
Nessus 3.02 and 2.2.7 Port Scanner Selection.......................................... 321
Network Architecture Assessor Connector Configurations .............................. 322
NAA Default Tests..................................................................................... 323
P2P Assessment ....................................................................................... 323
Adding Custom NAA Rules ....................................................................... 323
Nmap Connector Configurations ...................................................................... 326
QualysGuard Connector Configurations ........................................................... 327
Retina Connector Configurations...................................................................... 328
ScanAlert Connector Configurations................................................................. 329
WinReg Connector Configurations ................................................................... 329
Windows-Based Rules .............................................................................. 331
Appendix C Assessment Import Configurations
332
File Imports....................................................................................................... 332
Preventsys XML ........................................................................................ 332
Generic XML ............................................................................................. 333
AppDetective XML .................................................................................... 334
AppScan XML............................................................................................ 336
FoundScan XML ........................................................................................ 337
MBSA XML ............................................................................................... 339
nCircle XML............................................................................................... 339
Nessus XML.............................................................................................. 340
NeXpose XML ........................................................................................... 342
NGSSquirreL for Oracle XML .................................................................... 342
NGSSquirreL for SQL Server XML ............................................................ 343
Nmap XML ................................................................................................ 344
QualysGuard XML ..................................................................................... 345
Scan Imports .................................................................................................... 346
AlterPoint................................................................................................... 346
AppDetective............................................................................................. 347
Configuresoft............................................................................................. 348
FoundScan................................................................................................. 349
ISS SiteProtector ....................................................................................... 350
QualysGuard.............................................................................................. 351
Retina ........................................................................................................ 352
ScanAlert ................................................................................................... 353
vii
Contents
Appendix D Sample XML/Schema for Asset and Network Import
355
Sample XML for Network Data Imports ........................................................... 355
Sample XML for Asset Data Imports................................................................ 356
Schema Document for Network Data Imports ................................................. 357
Schema Document for Asset Data Imports...................................................... 359
Appendix E Database Backup Guidelines
361
Appendix F Policy Library Module Installation
362
Glossary of Terms
363
Index
368
viii
Chapter 1
Welcome to Preventsys
McAfee®'s Preventsys Risk Analyzer and Compliance Auditor (Preventsys) software
consolidates vulnerability, configuration, and threat data from multi-vendor tools.
Preventsys provides you with a single, comprehensive view of your network to help
you quickly identify assets that are at risk, and saves you time and money by
automating time-consuming manual processes. McAfee offers two Preventsys
solutions: Preventsys Risk Analyzer and Preventsys Compliance Auditor.
Note: Preventsys can receive threat-feed data from a supported third-party vendor.
This feature (referred to as the Preventsys Threat Intelligence feature) is setup during
the initial system configuration and requires that you have a contract with the vendor.
Please contact McAfee Solution Services for details.
McAfee Preventsys Risk Analyzer
McAfee Preventsys Risk Analyzer consolidates multi-vendor vulnerability,
configuration, and threat data across the enterprise to calculate risks, monitor
changes to an organization's risk score, and automate the compliance reporting
process. It supports centralized auditing across all aspects of policy, including
process, procedure, and technical controls. The product includes the following
components: Risk Management Dashboard, Risk Management Metrics Reporting,
Vulnerability and Misconfiguration Reporting, Remediation Workflow and
Prioritization, Compliance Dashboard, Automated Compliance Reporting, PolicyLab™,
and Policy Library.
McAfee Preventsys Compliance Auditor
McAfee Preventsys Compliance Auditor provides McAfee Foundstone® with
advanced policy compliance reporting capabilities. Customers can take in
Foundstone data and link corporate security policies and standards to specific
Foundstone checks to ensure policies are being adhered to across the network. The
product includes the following components: Risk Management Dashboard, Risk
Management Metrics Reporting, Vulnerability and Misconfiguration Reporting,
Remediation Workflow and Prioritization, Compliance Dashboard, PolicyLab™, and
Policy Library.
This guide provides a complete description of the features and options available in
Preventsys Risk Analyzer and Compliance Auditor.
9
Welcome to Preventsys
Contacting Technical Support
DOWNLOAD SITE
Homepage: http://www.mcafee.com/us/downloads/

Products and Upgrades (requires a valid grant number)

Product Documentation

Product Evaluation

McAfee Beta Program
TECHNICAL SUPPORT
Homepage: http://www.mcafee.com/us/support/index.html
KnowledgeBase Search: http://knowledge.mcafee.com
McAfee Technical Support ServicePortal (logon credentials required):
https://mysupport.mcafee.com/eservice_enu/start.swe
CUSTOMER SERVICE
Web: http://www.mcafee.com/us/support/index.html or
http://www.mcafee.com/us/about/contact/index.html
Phone: +1-888-VIRUS NO or +1-888-847-8766 Monday - Friday, 8 a.m. - 8 p.m.,
Central Time
PROFESSIONAL SERVICES
Enterprise: http://www.mcafee.com/us/enterprise/services/index.html
Small & Medium Business: http://www.mcafee.com/us/smb/services/index.html
10
Chapter 2
Getting Started
This chapter explains the basic steps for getting started with Preventsys, including
configuring your Web browser, logging in, and running assessments.
The Basics
Preventsys utilizes both state and configuration data to provide a comprehensive
view of risks across your entire enterprise. Configuration data, such as asset and
network, can be manually entered or imported. State data, such as vulnerability,
configuration, and threat, can be generated by Preventsys assessments or by
assessment data imported into Preventsys from multi-vendor connectors. The
follow steps provide a guideline for getting started with Preventsys after initial
installation and configuration are completed. See the McAfee Preventsys Risk
Analyzer and Compliance Auditor Installation Guide for details.
Step 1: Configure Your Browser
See Configuring Your Web Browser (on page 14) to determine if you need to make
any configuration changes to your browser for Preventsys to function properly.
Step 2: Setup Third-Party CAs (optional)
If you plan to use a certificate signed by a third-party certification authority, see Using
Certificates from Third-Party CAs (on page 21).
Step 3: Log On
Open your browser and enter the Preventsys URL. Enter your username and
password to log on. See Accessing the Preventsys Administrative Client (on page
23) for details.
Step 4: Change the Preventsys User Password
Preventsys ships with a default Super User group and associated Preventsys user
account, which is used when installing and configuring Preventsys. For security, you
should change this password after installation. See About the Super User Group and
Preventsys User (on page 41) for details.
For details about changing your user information if you are not in the Super User
group, see Editing Your User Information (on page 63).
11
Getting Started
Step 5: Update the Policy Library
After installation, import the latest version of the Policy Library. See Updating the
Policy Library (on page 125) for details. You can also create your own polices and
rules if desired using the rules shipped with Preventsys as a template, or develop
custom rules to address your specific concerns. See the McAfee PolicyLab Product
Guide for details.
Note: Preventsys provides several policies that contain Manual Audit Task (MAT)
Rules. During the analysis phase of an assessment, these rules conduct integrity
checks on the associated MATs in your system (whether a MAT is assigned, is one
such check). If you do not want these checks to create policy violations, review your
MATs to ensure that they will pass these checks before you run your first
assessment and analysis. See Understanding Manual Audit Task Rules and Policy
Violations (on page 213) for details.
Step 6: Configure Assessment Servers and Instance Configurations
Configure your assessment servers and then configure each assessment server's
instance configurations. See Assessment Servers (on page 30) for details.
Step 7: Define Assets, Networks, and Network Groups
Define the assets, networks, and network groups that you want Preventsys to
assess. See Assets and Networks (on page 65) for details. You can also import
asset and network data collected from other sources, including McAfee's ePolicy
Orchestrator, into Preventsys. See Importing Asset and Network Data Files (on page
91) for details.
Step 8: Configure Connectors and Assessments
Configure the connectors you want to use for assessments. Note that you must first
add an instance configuration for a connector before it can be configured for an
assessment. Then, you can configure and schedule your assessments. You can also
import assessment data collected from other supported sources into Preventsys.
See Assessments and Connectors (on page 128) for details.
After you have run a successful assessment, you can view the results in reports and
on the Security Risk Dashboard. You can also assign any remediation tasks created
based on vulnerabilities and policy violations found by the assessment.
Step 9: View Reports and the Security Risk Dashboard
After an assessment has completed, use the reporting feature to view the results.
See Reports (on page 237) for details. The Security Risk Dashboard provides a
snapshot of how compliant you are, your current exposure, your top-five unresolved
remediation tasks, and the top-five remediation tasks assigned to you based on
priority. If you have the Preventsys Threat Intelligence feature, you can also receive
and view timely, actionable, and comprehensive security analysis and notification
about the latest cyber threats, including the threats and vulnerabilities that affect
your networks. See Security Risk Dashboard (on page 215) for details.
12
Getting Started
Step 10: Add Groups and Users
Add Groups that define how you want to mange user access to functionality and
content. Add a user account for each user whom you want to access Preventsys,
then associate them with the groups you created as desired. See User Authorization
(on page 40) for details.
Step 11: Assign Remediations
Assign vulnerabilities and policy violations, so they can be resolved. If desired,
create filters that will only display the remediation tasks you specify, and create rules
that will automatically pre-assign tasks to specific remediators. See Remediations
About Preventsys System Components
Preventsys is comprised of the following main components.
Note: In the Preventsys Administrative Client, the Enterprise Security Management
(ESM) Server was renamed Management Server (MS) . However, some screens as
well as some commands relating to the Management Server, the Installer, and the
Configurator may still refer to the ESM Server. To avoid confusion, this server will be
referred to as the Management Server (ESM Server) when relevant. You should
enter all commands as presented.
Administrative Client
The Administrative Client is a browser-based client that provides the user interface
for the Management Server.
Assessment Server
The Assessment Server (AS) is the server (or cluster of servers), which hosts the
actual scanners. The AS and the connector instances you want on the server are
configured using the Administrative Client.
Management Server (ESM Server)
The Management Server (MS) is the server (or cluster of servers), which provides
the administrative interface to the Preventsys software.
13
Getting Started
Dynamic Address Resolution Connector (DARC)
DARC provides consistent address resolution for correlation of host information
throughout changing IP addresses (due to DHCP) by tracking hosts by their network
interface controller's (NIC) MAC address. By utilizing the Dynamic Target Address
Resolution Protocol (DTARP) to report the correlation between IP addresses and host
identity, Preventsys is able to correlate the same physical hosts regardless of IP
changes due to DHCP.
RDBMS Server
The Relational Database Management System (RDBMS) stores Preventsys
configuration data and scan results in both raw and analyzed formats. Note that it is
possible to install multiple components on individual servers in environments that
meet the requirements for minimum installation configurations. See the McAfee
Preventsys Risk Analyzer and Compliance Auditor Installation Guide for details.
Configuring Your Web Browser
The Preventsys Administrative Client is a browser-based application that utilizes 128bit encryption and HTTPS protocol to ensure secure communication.
Supported Web Browsers

Microsoft Internet Explorer v6-v7

Mozilla Firefox v1.5.x
Browser Configuration
The following web browser settings must be enabled:

128-bit encryption

Cookies

Always display the latest versions of all Web pages

Popups
If these settings are not enabled, you might encounter cached versions of
Preventsys' pages or not be able to view information displayed in other windows.
The following instructions detail how to configure you web browser for these
settings.
14
Getting Started
¾
To configure Microsoft Internet Explorer
1
From the Internet Explorer menu, select Tools > Internet Options, then select
the General tab.
2
Under Temporary Internet Files, click Settings. The Settings dialog box
appears.
3
Under Check for newer versions of stored pages, click Every visit to the
page.
4
Click OK.
15
Getting Started
5
Select the Privacy tab.
6
Under Settings, click Sites. If this button is deactivated, move the Settings
slider to High to make it active. The Per Site Privacy Actions dialog box appears.
7
In the Address of Web site text box, enter the host name or IP address of your
McAfee Preventsys Management Server.
8
Click Allow. The address you entered is displayed in the Managed Web sites
box.
16
9
Getting Started
Click OK. The Privacy tab appears.
10 Under Pop-up Blocker, select Block pop-ups and click Settings. The Pop-up
Blocker Settings dialog box appears.
11 In the Address of Web site to allow text box, enter the host name or IP
address of your McAfee Preventsys Management Server.
12 Click Add. The address you entered is displayed in the Allowed sites box.
13 Click Close, then click OK to save your settings.
14 To ensure your settings are applied, restart Internet Explorer.
17
Getting Started
¾
To configure Mozilla Firefox
1
In the Firefox location bar, enter about:config. The Firefox configuration
preferences list appears.
2
Double-click browser.cache.check_doc_frequency. The Enter Integer Value
dialog box appears.
3
To have the browser check for a newer version of stored pages upon each visit
to a page, enter 1 in the text box. Note that 0 = Once per session, 1 = Each
time, 2 = Never, and 3 = When appropriate/automatically.
4
To save your settings, click OK.
5
From the Firefox menu, select Tools > Options, then select Privacy. The
Privacy tab options are displayed.
18
Getting Started
6
Select the Cookies tab if not already selected. The Cookies configuration
options are displayed.
7
Click Exceptions. The Exceptions - Cookies dialog box appears.
8
In the Address of web site text box, enter the host name or IP address of your
9
Click Allow. The site you entered is displayed in the Site list.
10 Click Close. The Cookies tab appears.
19
Getting Started
11 Select the Content tab. The Content tab appears.
12 Click Allowed Sites. The Allowed Sites - Popups dialog box appears.
13 In the Address of web site text box, enter the host name or IP address of your
14 Click Allow. The site you entered is displayed in the Site box.
15 Click Close. The Content tab reappears.
16 To save your settings, click OK.
17 To ensure your settings are applied, restart Firefox.
20
Getting Started
Using Certificates from Third-Party CAs
You can configure Preventsys to use a certificate signed by a third-party certification
authority (CA). Private keys and Certificate Signing Requests (CSR) can be generated
using the Java Keytool or OpenSSL and can be placed into the Preventsys keystore
or another keystore. Preventsys recommends using the Java Keytool and the
Preventsys keystore because the private key is automatically generated for you.
Generate a Key Pair and CSR Using Java Keytool
Follow the directions in this section to generate a key pair and CSR file using the
Java Keytool.
¾
To generate a key pair and CSR using keytool
1
Enter the following command to shutdown the Management Server (ESM
Server):
service esm stop
2
Generate a key pair (public/private) using the Keytool -genkey command.
keytool -genkey -keyalg rsa -keystore
/usr/local/preventsys/certs/esm/keystore -alias <your
alias>
3
When prompted for First Name and Last Name, enter the fully qualified domain
name (FQDN) for the Management Server (ESM Server). This value must be the
same as the hostname specified on the URL when connecting to the
Management Server (ESM Server), or the browser will display a security
warning.
4
Generate a CSR file using the Keytool -certreq command.
keytool -certreq -alias <your alias> -keystore
/usr/local/Preventsys/certs/esm/keystore -file <your
alias>.csr
5
Follow the CA's directions for sending them the generated CSR file.
6
The CA will respond with one or more CA certificates and a signed certificate,
which you will import to the Preventsys keystore and truststore, respectively.
See Importing Certificates (on page 23) for details.
Import an Existing Private Key
Follow the directions in this section if you have already generated a key pair using
Java Keytool and received your CA certificates and signed certificate from the CA.
¾
To import an existing private key
1
Enter the following command to log on to the Management Server (ESM Server)
as root:
ssh root@<ip address>
2
Server):
21
Getting Started
service esm stop
3
Enter the following command to copy the keystore containing the new private
key, signed certificate from the CA, and the CA certificate(s) to the Management
Server (ESM Server):
scp <source login>@<source host>:<source path> <target
login>@<target host>:<target path>
4
Enter the following command to import the private key from your keystore to
the Preventsys keystore:
java -cp ./server/ms/deploy/ms.war/WEB-INF/lib/esm.jar
com.preventsys.security.ReplaceCertificate <source
keystore> <source alias> <source keystore password> <source
key password> /usr/local/preventsys/certs/esm/keystore
<YOUR ALIAS> <keystore password> <target key password>
5
Import the CA certificate(s) and the signed certificate to the Preventsys keystore
and truststore, respectively. See Importing Certificates (on page 23) for details.
Generate Key Pairs Using OpenSSL
Follow the directions in this section if you are using OpenSSL to generate your key
pair.
¾
To generate a key pair using OpenSSL
1
as root:
2
3
Server):
service esm stop
4
Enter the following command to copy the private key generated using OpenSSL,
the signed certificate from the CA, and the third-party CA certificate(s) to the
Management Server (ESM Server):
scp <source login>@<source host>:<source path> <target
login>@<target host>:<target path>
5
Download version 6.0.1 of Jetty from
http://sourceforge.net/projects/jetty/ and SCP the jetty6.0.1.jar found in the lib directory of that package to the Management Server
(ESM Server):
6
Enter the following command to create a PKCS12 file:
openssl pkcs12 -export -out <pkcs12file> -in <openssl cert>
-inkey <openssl key> -name <new alias>
7
Enter the following command to import the private key from your keystore to
the Preventsys keystore:
java -cp <path to jetty jar>/jetty-6.0.1.jar
org.mortbay.jetty.security.PKCS12Import <pkcs12file>
/usr/local/Preventsys/certs/esm/keystore
8
Import the CA certificate(s) and the signed certificate to the Preventsys keystore
and truststore, respectively. See Importing Certificates (on page 23) for details.
22
Getting Started
Importing Certificates
Once you have your CA certificate(s) and the signed certificate, you need to add
them to the Preventsys keystore and truststore, respectively.
1
Enter the following command for each CA certificate you want to add to the
keystore:
keytool -import -alias <some alias> -keystore
/usr/local/preventsys/certs/esm/keystore -trustcacerts file <CA's cert>
2
Enter the following command to add the signed certificate to the keystore:
keytool -import -alias <your alias> -keystore
/usr/local/preventsys/certs/esm/keystore -trustcacerts file <Your signed cert>
3
Enter the following command to add the signed certificate to the truststore:
keytool -import -alias <your alias> -keystore
/usr/local/preventsys/certs/esm/truststore -trustcacerts file <Your signed cert>
4
Log on to the Management Server (ESM Server) as preventsys using SSH:
5
Update the conf.vars setting to point to the new key alias by doing the
following:
a
Open the file:
/usr/local/preventsys/predeployed/esm/conf/conf.vars
b
Find the line: preventsys.tomcat.truststore.keyAlias=foobar
c
Replace foobar with the alias specified as <your alias> in the previous
steps.
6
as root:
7
Enter the following command to start the Configurator:
#configurator 2>conf.log (located at cd/usr/bin)
8
From the Configurator menu, select File > Save Config.
9
For Save All Configuration Data, click No.
10 For Redeploy ESM Components, click Yes.
11 The third-party certificates you imported will now be used by Preventsys.
Note: If the third-party signed certificate was an evaluation certificate, it may need
to be imported into the browser once as a trusted certificate. Non-evaluation
certificates from major vendors such as VeriSign and Thawte should already be
supported by the browser.
Accessing the Preventsys Administrative Client
This section details how to log on to the Preventsys Administrative Client. If your log
on fails three consecutive times, your session will be locked. Open a new web
browser window and log on again if this happens.
23
Getting Started
¾
To log on
1
Open your web browser and enter the URL for Preventsys. The Preventsys
Login screen appears.
The format for the Preventsys URL is https://xxx.xxx.xxx.xxx:9443/ms/
Where xxx.xxx.xxx.xxx is the IP address of the Management Server's
external/trusted interface and 9443 is the port for the web service. See the
McAfee Preventsys Risk Analyzer and Compliance Auditor Integration Guide for
details about ports used by Preventsys.
2
Enter your Username and Password.
Note: Preventsys is pre-configured with a user named Preventsys. This user
belongs to the Super User group which has access to all resources as well as
permissions for all networks. See About the Super User Group and Preventsys
User (on page 41) for details about logging in as the Preventsys user.
3
Click Login.
¾
To log off
1
Click Logout located in the top right-hand corner of any screen.
24
2
Getting Started
On the Logged Out screen, click Login Again to return to the Login screen.
Note: If your session is idle for 30 minutes or more, you will automatically be logged
out and the Logged Out screen will be displayed.
Configuring the Web Session Timeout
The web session timeout setting specifies how long a session can be idle before it
times out. By increasing this value, users will not experience browser timeouts as
frequently. The maximum time out value is 120 minutes. The default setting is 30
minutes. Only members of the Super User group can change this setting.
¾
To change the web session timeout
1
From the Preventsys menu, select Admin > System Preferences, then scroll
down to the Web Session Timeout section.
2
In the Timeout in minutes text box, enter the number of minutes you want to
allow a session to be idle before it times out. The minimum value allowed is 1
minute and the maximum is 20 minutes.
3
To save your changes, click Submit.
Note: Changes to the web session timeout will not affect current web browser
sessions until the user refreshes or visits a different screen.
25
Getting Started
Configuring the Threat Feed Manager Proxy
Preventsys can receive threat-feed data from a supported third-party vendor. This
feature (referred to as the Preventsys Threat Intelligence feature) is setup during the
initial system configuration and requires that you have a contract with the vendor.
Please contact McAfee Solution Services for details.
¾
To enter proxy settings for the Threat Feed Manager
1
From the Preventsys menu, select Admin > System Preferences, then scroll
down to the Threat Feed Manager Proxy Setup section.
2
To configure the Threat Feed client to use a web proxy, select Enable. The web
proxy is disabled by default.
3
Enter the Proxy's host, port, and, if required, username, and password.
4
To test the connection to the Threat Feed Manager, select Test Proxy Settings.
5
To save your settings, click Submit.
Navigating Preventsys
This section provides information about navigating within Preventsys, including the
main menu, pagination controls, and table sorting.
Main Menu
The Preventsys Main Menu provides access to all system functions. Access to this
functionality is granted based on the groups to which the user belongs. See
Managing Groups (on page 41) for details.
Pagination Controls
Various reports and administration screens feature pagination controls near the
bottom of the screen, which allow for convenient navigation through long lists of
data. When the data spans multiple pages, click a page number to view the selected
page.
26
Getting Started
Page numbers are presented in groups of ten. If there are more than ten pages, the
pagination controls will include links to the Next and Previous group of ten of pages.
Table Sorting
Many screens display information in tables. This information is organized based on a
default sort (for example, Full Name). To change the way a table is sorted, click the
desired column heading. Columns that can be sorted will display a dashed line under
the heading text. To reverse the sort order, click the column heading again.
Saving as PDF
There are several areas in Reporting and Remediation Management where you can
save the displayed information as a Portable Document Format (PDF). Clicking Save
as PDF will open a separate browser window that displays the information in PDF
format.
Select the Adobe Acrobat save function to save the report as a PDF file.
Version and Node Information
The About Preventsys screen displays information about McAfee Preventsys,
including version information and the number of nodes used. To access the About
Preventsys screen, select Help > About Preventsys from the Preventsys menu.
27
Getting Started
Note: The number of nodes used is updated daily.
Reporting Errors
Use the Error Report screen when you encounter an issue and want to collect your
log files. The Error Report is also displayed automatically if an unexpected issue
occurs.
You can have the log files emailed to you, or, if your email system does not support
large file attachments, you can download them. The files can also be emailed to
another party if desired. For example, if McAfee Support gives you an email address.
By default, the information in the Error Report is not encrypted and is sent to the
logged in user's email address. Only McAfee Support can decrypt the log files, so
only use this option if you are sending files to them.
28
Getting Started
¾
To submit an error
1
From the Preventsys menu, select Help > Submit Error. The Error Report
screen appears.
2
In the Comments box, enter as much information as you can about what you
think caused the error and any steps that might help reproduce it.
3
When you are finished, click Continue.
4
Preventsys gathers and compresses the log information. When this task has
completed, the report will be sent to the email address specified. If you elected
to download the report, an email containing a link to where you can download
the report will be sent to the From address.
29
Chapter 3
Assessment Servers
Before Preventsys can perform assessments on your networks, you must first
configure your Assessment Server(s) and the instance configurations for the
assessment tools you want to use. This chapter discusses how to add and modify
assessment servers and how to add instance configurations. Some types of
assessment data import also require instance configurations (see for details).
Useful Terms
Please review the following terms before continuing with this chapter.

Assessment Server: The Assessment Server is one of the applications that
make up the Preventsys Security Risk Management System. The Assessment
Server provides an interface between the Management Server and a variety of
assessment tools, both third-party as well as Preventsys-created. Each of these
interfaces is called a connector, and each Assessment Server is shipped with
several connectors pre-installed. Additionally, the interface has been
documented so that anyone can write their own connector, enabling them to
add support for additional third-party software.

Connector: A Connector is the interface used by the Assessment Server,
which allows the Management Server to configure, control, and receive results
from a particular assessment tool. Each connector must provide instance
configuration and connector configuration forms, must be able to start, stop and
(optionally) pause and resume scans, and must be able to transform the tool's
results into the Preventsys result format. Each connector is dynamically loaded
at startup, so individual connectors can be added, updated, and removed without
requiring a replacement Assessment Server executable.
Preventsys has published its connector API, so that anyone can add support for
additional software. Contact McAfee Support for information about the API.

Instance Configuration: An Instance Configuration is a static set of parameters
for a particular installation of an assessment tool supported by Preventsys. An
instance configuration's parameters are generally used to allow an Assessment
Server to connect to, and, if needed, authenticate to a particular installation of
the assessment tool.
For example, if the same tool were installed in three different locations, each of
those installations would have a single instance configuration.

Network Affinity: During an assessment, the Management Server can
distribute a task across multiple Assessment Servers, a process that not only
frequently speeds up auditing, but also improves reliability, since an assessment
is never tied to a specific set of Assessment Servers. The downside to this
approach is that it assumes that all Assessment Servers are equally capable of
scanning a particular network range when, in fact, this is rarely the case. The
mechanism Preventsys has to deal with this is called network affinity. See
Affinity and Weight (on page 33) for details.
30
Assessment Servers
Managing Assessment Servers
All Assessment Server and Instance Configuration administration is conducted from
the Assessment Server Management screen.
¾
To access the Assessment Server Management screen

From the Preventsys menu, select Admin > Assessment Servers. The
Assessment Server Management screen appears.
The Assessment Server Management screen displays the connection status and
version number of each assessment server. The average status of all assessment
servers is also displayed.
The screen also displays the connectors initialized on each assessment server. From
this screen, you can add a new assessment server and associated instance
configurations, edit an existing assessment server and associated instance
configurations, and delete an assessment server and/or associated instance
configurations.
Note: Preventsys supports the cooperative scanning of more than one network at a
time using multiple Assessment Servers, as well as scanning the same network
using more than one Assessment Server.
Adding Assessment Servers
Use the Add Assessment Server function to add new assessment servers.
¾
To add an assessment server
1
31
Assessment Servers
2
Click Add New. The Add Assessment Server screen appears.
3
Enter a name for the assessment server (20 character max), and the associated
IP/hostname, and port number.
4
To save your settings, click Submit. Preventsys verifies that the Management
Server can connect to the Assessment Server. If the connection fails, the
Assessment Server will still be added, but it cannot be used for assessments
until the connection is successful.
Editing Assessment Servers
Use the Edit Assessment Server function to modify assessment servers.
¾
To edit an assessment server
1
2
Click Edit for the server you want to modify. The Edit Assessment Server
screen appears.
3
Edit the assessment server as desired.
4
Disabling and Enabling Assessment Servers
Use the Disable function to take an Assessment Server offline temporarily without
losing any of the server's data or associated instance configurations. When an
Assessment Server is disabled, it will still be displayed on the Assessment Server
Management screen with its associated instance configurations, however you will
not be able to edit any of this data or use it to run new assessments. Any
assessments currently running should complete as expected.
After the Assessment Server is enabled, you will be able to edit it, view and edit the
associated instance configurations as well as add new ones, and use it to run
assessments just as before.
32
Assessment Servers
¾
To disable/enable an assessment server
1
2
Click Disable for the server you want deactivated. A confirmation dialog box
appears.
3
Click OK to deactivate the selected assessment server and all associated
instance configurations. The Disable option changes to Enable. To reactivate
the Assessment server, click Enable.
Deleting Assessment Servers
Use the Delete Assessment Server function to remove assessment servers and
associated instance configurations.
Note: Deleting an Assessment Server might cause currently running assessments
to fail if connectivity is also lost.
¾
To delete an assessment server
1
2
Click Delete for the server you want removed. A confirmation pop-up box
appears.
3
Click OK to delete the selected assessment server and all associated instance
configurations.
Managing Instance Configurations
As discussed at the beginning of this chapter, you must configure your assessment
server and the instance configurations for the assessment tools you want to use
before assessments can be performed on your networks. This section discusses
how to add and modify instance configurations after you have added an assessment
server.
Affinity and Weight
Network affinity allows you to configure how suitable a particular instance
configuration is to scan a network range. When adding an instance configuration,
you can add one or more network affinity ranges, each of which consists of a range
of IPs and a weight, which is a number from 1-100. If no network affinity range is
defined for an instance configuration, the Management Server assumes that instance
is the best possible instance for any IP range.
33
Assessment Servers
During an assessment when network affinity ranges are defined, the Management
Server will assign each task to the instance configuration whose network affinity
both supports the range and has the highest weight. If necessary, the Management
Server will split the task across multiple Assessment Servers to ensure that the
instance configuration with the highest weight for a given range of IPs is always
used.
An example of where network affinity is practically required, is when dealing with
Assessment Servers that cannot send packets to a particular IP range due to routing
or filtering-based restrictions. Using network affinity ranges, you would define the IP
ranges each instance configuration can reach, while leaving out the ranges they
cannot reach. This would prevent the Management Server from using any of the
instance configurations to scan any ranges without network affinity ranges for the
target IP range(s). Without being able to define network affinity ranges,
assessments might fail because the Management Server might assign a task to an
instance configuration unable to handle the target IP range.
Affinity is also useful when configuring Assessment Servers at multiple locations that
are networked over a slower WAN connection. By assigning higher weights to local
networks, and lower weights to remote networks, you can ensure that the fastest
available instance configuration will be selected to scan a particular network range,
and that scan traffic will only be transmitted over the WAN link as a last resort.
Configuring Affinity and Weight
When you add an instance configuration to an Assessment Server, you have the
option of specifying which network(s) the instance should be allowed to assess. This
is referred to as Network Affinity.
If you do not provide an affinity, then Preventsys assumes all networks can be
scanned. Therefore, if you have more than one instance configuration for the same
connector type, then Preventsys automatically gives priority to the instance with no
network affinity. If you want Preventsys to consider network affinity when selecting
between instance configurations for the same connector type, you must specify a
network affinity for each instance.
If you chose to specify an affinity, make sure that the networks you want to assess
are within the affinity ranges. Networks outside of the affinity ranges will be ignored
by Preventsys when an assessment is run.
Note: You can add multiple as well as overlapping network affinity ranges to a single
instance configuration.
34
Assessment Servers
If you have more than one instance configuration of a specific type (for example, two
Nessus instances) with overlapping network affinity ranges, you can also specify the
priority in which Preventsys should utilize them during an assessment by also
assigning a weight. If you do not specify a network affinity range, Preventsys
defaults the weight to 100.
Adding Instance Configurations
Use the Add Instance Configuration function to add instance configurations of
connectors to assessment servers.
¾
To add an instance configuration
1
2
Expand the row for the desired Assessment Server.
35
3
Assessment Servers
Select the type of connector you want to add, then click Add New Connector.
The Instance Configuration screen for the selected connector appears.
Figure 1: Example of the Nessus Instance Configuration screen
4
Enter a connector name and all required information. Enter any optional
information, including Affinity as desired. See Affinity and Weight (on page 33)
for details.
Note: Preventsys recommends that you name your instance configurations such
that their associated connector type can be easily identified. For example, use
nessus1 not instance1.
5
Editing Instance Configurations
Use the Edit Instance Configuration function to modify instance configurations for
assessment servers.
¾
To edit an instance configuration
1
2
Click the plus box to expand Connectors, and click Edit for the instance
configuration you want to modify. The instance configuration screen for the
selected connector appears.
3
Edit the instance as desired.
4
36
Assessment Servers
Deleting Instance Configurations
Use the Delete Instance Configuration function to remove instance configurations
from an assessment server.
Note: If you have multiple instance configurations of the same type, Preventsys will
attempt to use the remaining instance if you delete the other while an assessment is
running.
¾
To delete an instance configuration
1
Assessment Server Management screen appears
2
Click the plus box to expand Connectors, and click Delete for the instance
configuration you want removed. A confirmation pop-up box appears.
3
Click OK to delete the selected instance configuration from the associated
assessment server. Only the instance selected is deleted. Other instances of
the same type are not affected.
37
Chapter 4
User Authentication
This chapter presents details about how Preventsys handles authentication.
Authentication is the process of identifying an individual, generally based on a
username and password.
Note: Preventsys is pre-configured with a Super User group and Preventsys user
account, which allow you to log on to the application immediately after installation
and configuration. See About the Super User Group and Preventsys User (on page
41) for details.
Local and Remote Authentication
Preventsys can authenticate users either locally or remotely. Local authenticate
occurs within Preventsys while remote authenticate occurs within an Active
Directory that you specify. Note that authorization (the features and content users
can access once they are logged into Preventsys) is not supported through AD.
Authorization is controlled by Groups. See User Authorization (on page 40) for
details.

Local User: A user of Preventsys who is authenticated locally by Preventsys

Remote User: A user in a specified AD that has been granted access to
Preventsys and is therefore authenticated remotely by that AD
Note: Remote users will not be able to log on to Preventsys if the AD connection is
unavailable.
Connecting to an Active Directory Server
To grant users in an AD access to Preventsys, you must first establish a connection
between Preventsys and the desired AD. After the connection is made, you will be
able to add Preventsys accounts for those users. See Connecting to an Active
Directory Server (on page 38) for details.
38
User Authentication
¾
To connect to an active directory server
1
From the Preventsys menu, select Admin > Preferences. The System
Preferences screen appears.
2
Under Authentication Server, enter the following information:

Enabled/Disabled: Select this option to enable LDAP authentication within
Preventsys.

Name: The identifier given to the LDAP server. Note: Preventsys currently
only supports one server connection at a time.

LDAP Server Type: The type of LDAP server. Only MS-ADS is currently
supported.

IP/Hostname: The IP address or DNS name of the LDAP server. For
example, 10.4.10.165 or ldap.corp.com.

Port: The port number that the LDAP server is listening on. For example
389.

Base DN: The Base Distinguished Name that identifies where LDAP
searches will start within the LDAP tree structure. For example,
DC=POLCAP2,DC=local identifies that the searches will begin within the
domain POLCAP2\local. By setting the Base DN appropriately it can
significantly reduce the amount of search time required to locate LDAP
users.

Admin DN: The Distinguished Name of the administrator that will be used
to connect to the LDAP server. The value entered for this field should be
without the Base DN. The value for Base DN entered previously will be
used in conjunction with this DN to locate the administrator user.

Admin Password: The LDAP password for the administrator user

Verify Password: Repeat the password for password verification

Use Secure Connection/SSL: Select this option to enable encrypted
communication between Preventsys and the LDAP server.
3
Click Test Authentication Server to verify the connection.
4
Now that you have established an AD connection, see User Authorization (on page
40) for details about granting associated users access to Preventsys.
39
Chapter 5
User Authorization
Preventsys authorizes access to functionality and content using a group-based
access control mechanism. This chapter provides details about how to control
access to functionality by adding permissions to groups, how to control access to
content by associating networks with groups, and how to create accounts for users
and associate them with groups.
Note: Preventsys is pre-configured with a Super User group and Preventsys user
account, which allow you to log on to the application immediately after installation
and configuration. See About the Super User Group and Preventsys User (on page
41) for details.
Useful Terms

Local User: A user of Preventsys who is authenticated locally by Preventsys

Remote User: A user in a specified Active Directory (AD) that has been granted
access to Preventsys and is therefore authenticated remotely by that AD

User Account: A User Account grants the user access to Preventsys. The
user's account must be added to a group (or groups) to give them additional
access to functionality and content. Preventsys also supports remote
authentication of users via an Active Directory connection. See Connecting to
an Active Directory Server (on page 38) for details.

Resource: A resource is an object of Preventsys. For example, all of the
management screens, such as Assessment Configuration Management and
User Administration Management, are resources.

Permission: A permission is a corresponding action that can be conducted on
the resource (for example, read and modify). By giving a group a specific
permission, you are granting that group access to the associated functionality.
For example, the Modify User permission for the Users resource gives users the
ability to add, edit, and delete user accounts. Permissions are also granted at
the network level, which gives users access to content in areas where content
is driven by networks. For example, if a group has the Assign Remediations
permission for the Remediations resource and permission to the
AcmeDataCenter network, then members of that group will be able to view and
assign tasks for assets within the AcmeDataCenter network range.

Group: A group is where you define the resources and permissions that
members of that group will have.
40
User Authorization
About the Super User Group and Preventsys User
Preventsys is pre-configured with a Group named "Super User", which has one
member named "Preventsys". This group is configured with access to all resources
and permissions for all networks (existing and new). Users can be added to and
removed from the group as long as at least one user remains in the group, but the
group itself cannot be edited, deleted, or copied.
The Preventsys account is generally reserved for the lead administrator, and has the
following credentials:
Username: preventsys
Password: Audit321
Note: In Preventsys v2.6, the password for the Preventsys user was changed to
meet Preventsys' strong password policy. If you upgrade from an earlier version to
v2.6 or later and have not changed the default password for this user, Preventsys will
automatically update this password to Audit321.
While this account is generally used for the initial setup and subsequent system
administration, it is strongly suggested that you change the preset password as soon
as possible.
Managing Groups
A Group defines the resources and permissions for which its members should have
access. Preventsys is preconfigured with group called Super Users that provides full
access to all functionality and content.
Content Inheritance
When users are added to a group, they automatically inherit the access rights of that
group. If there are network permissions associated with the user group (for
example, the group is given permission to manage the AcmeDataCenter network)
and other networks exist that are within the range of the AcmeDataCenter network
(for example, AcmeSub1 and AcmeSub2), then the group is automatically given the
same permissions for those subnetworks as they have for AcmeDataCenter
network. This is referred to as content inheritance.
If there are network permissions associated with a group (for example, the group is
given permission to manage the NYDataCenter network) and other IPs exist that are
within the range of NYDataCenter network (for example, 10.4.1.5 and 10.1.4.10),
then the user that belongs to that group is automatically given the same permissions
for those IPs as they have for the IPs within the NYDataCenter network. Note that
this type of content inheritance is only considered when viewing data that is host
driven vs. network or network group driven. For example, Remediation Management
is host driven.
41
User Authorization
Direct Association
Network groups are an exception to the content inheritance flow discussed in the
previous section. A group must be directly associated to all networks in a network
group to have access to that network group. In the previous example,
AcmeDataCenter is directly associated to the group. However, AcmeSub1 and
AcmeSub2 are not. You would need to manually add these two subnetworks to the
group via the Add or Edit Group screen, or the via the Add or Edit Network screen for
them to be considered directly associated. Note that creating a network that
contains another network only gives direct association to the created network; not
the network contained within. For example, the AcmeDataCenter network is
comprised of the IP range 10.4.1.2-10.4.1.25 and the DataCenter1 network.
Therefore, the group would be directly associated to AcmeDataCenter, but not to
DataCenter1. You would need to add DataCenter1 to the group manually for it to be
considered directly associated as well.
Group and Permission Hierarchy
A user can belong to more than one group. However, permissions are granted per
group; not across groups. For example, assume that Group1 has the Modify
Networks functional permission and the Network A (10.4.1.1-10.4.1.11) content
permission and another group, Group2, has the Modify Assets functional permission
and the Network B (10.4.1.20-10.4.1.25) content permission. John belongs to both
groups, so he can modify the Network A network but not the Network B network.
He can also modify IPs/assets that are within Network B, but not the IPs/assets with
Network A.
If an individual group has several permissions for the same resource, the least
restrictive permission takes precedence. For example, if the group is given both the
Modify and Read permissions for Networks, the Modify permission takes
precedence. The exceptions to this are the Modify Groups and Modify Users
permissions. A member of a group that has the Modify Groups permission
automatically inherits that permission for every group to which they belong. A
member of a group with the Modify Users permission automatically inherits that
permission for every group to which they belong. Note that this will not always be
evident because the Modify Groups and Modify Users permissions do not have to be
selected for the user to be able to view and modify the group if they obtained this
permission via inheritance.
Any changes made to a group's permissions will automatically be applied to all
members of that group. Removing an individual user from one group and adding
them to another group will sever all connections to the resources, permissions, and
networks of the previous group and replace them with those of the new group.
Network and Network Group Based Reporting Data
Note that content displayed on some resources in Preventsys is controlled at the
network group level verses the network level. For those areas, for example most
reports, the user must belong to a group (or groups) with both the permissions for
viewing the resource and for all the networks that make up the network group
associated with the content displayed on the report.
42
User Authorization
In addition, Preventsys only considers the networks as they exist at the time an
assessment is run when determining what content to display on reports. Therefore,
editing a network associated with a group will not affect what that group has access
to in reports until an assessment is run using the edited network. For example, if a
network group SouthCenterGrp only contains the network SouthCntr1 (10.4.1.210.4.1.5), then members of the group directly associated to this network will have
access to assessment data conducted on SouthCenterGrp. If SouthCntr1 is edited to
be (10.4.1.6-10.4.1.9) and an assessment is run using SouthCenterGrp, then
members of the same group will have access to assessment data conducted on
SouthCenterGrp (10.4.1.2-10.4.1.5 and 10.4.1.6-10.4.1.9). Before editing your
networks, make sure to consider how your changes will affect authorization for
reports.
About Resources and Permission
All group administration is conducted from the Group Management screen. The
following table presents all the resources and corresponding permissions for
Preventsys, the functions that each of them control, and the screens to which they
allow access.
Resource
Permission
Functions
Users
read only
Read (read only, no
adding or modifying
allowed)
Associated Screens

User Management (By
User, By Group tabs)

User Details

Group Management
(By Group, By Network
tabs)

Group Details
Add/Edit/Delete/Add
and Remove Users
From Groups

modify users
43
User Management (By
User, By Group tabs)
Add User

Edit User

Group Management
tabs)

Add/Remove Users
From Group
Resource
User Authorization
Permission
Functions
modify groups
Link from
"Hello
username" >
My Details
N/A
Assets
read only
Associated Screens
Group Management
Add/Edit/Copy/Delet
e and Add/Remove
tabs)
Group Associations
from Networks

Add Group
Edit Self

Edit Group

Add Network (must
also have “modify
networks”)

Edit Network (must
also have “modify
networks”)

My Details

Asset Management

Asset Details

Asset Filter

Host property
Management

Host property Details

Services Management

Services Details

Exclusion Lists
Management

Exclusion List Details

Asset Management

Asset Filter

Add Assets

Edit Assets

Asset Properties
Management

Add Property

Edit Property
Note: Unless the
logged in user has
other user
management
permissions, they
can only change
their password, full
name, and email
address
Read (read only, no
adding or modifying
allowed)
modify assets
Add/Edit/Delete
Assets
modify asset
properties
Add/Edit/Delete
Properties
44
Resource
User Authorization
Permission
Functions
modify services
Add/Edit/Delete
Services
modify exclusion
lists
Add/Edit/Delete
globalize exclusion Make Global
lists
Networks
read only
Read (read only, no
adding or modifying
allowed)
modify networks
modify network
properties
modify network
groups
Assessment
Servers
read only
Add/Edit/Delete
Networks
Add/Delete
Properties
Add/Edit/Delete
Network Groups
Read (read only, no
adding or modifying
allowed)
45
Associated Screens

Services Management

Add Services

Edit Services

Exclusion List
Management

Add List

Edit List

Exclusion List
Management

Network Management

Network Details

Network Property
Management

Network Property
Details

Network Group
Management

Network Group Details

Network Management

Add Network

Edit Network

Network Property
Management

Add Network Property

Network Group
Management

Add Network Group

Edit Network Group

Assessment Server
Management

Assessment Server
Details

Connector Instance
Details
Resource
User Authorization
Permission
Functions
modify
assessment
servers
Add/Edit/Delete AS
and Connector
Instances
Associated Screens

Assessment Server
Management

Add Assessment
Server

Edit Assessment
Server

Add Connector
Instance

Edit Connector
Instance
Read/Upload/Update
/Rollback/ Check for
Updates
System Update
Management
System
Updates
update system
System
Preferences
modify due date
and criticality
Edit due date and
criticality
Manual Audit
Tasks
read only
Read (read only, no
adding or modifying
allowed)

System Preferences

MAT Management (By
Task, By Recipient
tabs)

MAT Details

Filter tab

MAT Recipient Group
Management

MAT Recipient Group
Details
Add/Copy/Edit/Delet
e MATs (includes
assignment and
scheduling)

modify MATs
modify MAT
Recipient Groups
resolve MATs
46
Add MAT

Edit MAT

Filter Tab
Add/Copy/Edit/Delet
e Recipient Groups

Update MAT
Status/View MAT
Summary
MAT Management (By
Task, By Recipient
tabs)
MAT Recipient Group
Management
Add MAT Recipient
Group

Edit MAT Recipient
Group

MAT Management
(My Tasks tab)

MAT Details

Filter tab
User Authorization
Resource
Permission
Functions
Remediations
read only
Read (read only, no
adding or modifying
allowed)
assign
remediations
Assign and
Reassign/Modify
Due Date
47
Associated Screens

Latest Tasks
dashboard portlet

Asset Summary (must
also have “Report
Management”
resource and “access
reports” permission)

Remediation Task
Management (Task
Assignment tab)

Filter Options tab

Column View Options
tab

Remediation Details

Asset Details Standard
Report (must also have
“Report
Management”

Assignment Rule
Management

Assignment Rule
Details

External Remediation
Systems Management

System Details

Systems Users
Management

User Details

External Patch
Management Systems
Management

External Patch
Management System
Details

Latest Tasks
dashboard portlet

Asset Summary (must
also have “Report
Management”
Resource
User Authorization
Permission
Functions
prioritize
remediations
Prioritize/Modify
Due Date
modify preassignment rules
Add/Edit/Delete
Rules
Associated Screens

Remediation Task
Management (Task
Assignment tab)

Filter Options tab

Column View Options
tab

Remediation Details

Report (must also have
“Report
Management”

Assignment Rule
Management

Add Assignment Rule

Edit Assignment Rule
Update Remediation
Status/View My
Tasks Portlet/View
Remediation

Details/Patch

Remediations
resolve
remediations
48
Remediation Task
Management (My
Tasks tab)
Filter Options tab
Column View Options
tab

My Tasks dashboard
portlet

Remediation Details

Can “Patch" if external
system available
Note: Only users with
Preventsys accounts
will have PMS option
(external users not
associated w/ a
Preventsys user will
not)
Resource
Policies and
Rules
User Authorization
Permission
Functions
modify external
systems
Add/Edit/Delete
External PMS and
Remediation
Systems and Users
read only
Read (read only, no
adding or modifying
allowed)
modify
rules/policies
Access
PolicyLab/View
Policy and Rule
Management/View
Policy and Rule
deactivate
rules/policies
Deactivate Rules
and Policies
import/export
policies
Import, Export, and
Rollback
49
Associated Screens

Systems Management

Add External
Remediation System

Edit External
Remediation System

Users Management

Add External
Remediation User

Edit External
Remediation User

External Patch
Management System
Management

Add External Patch
Management System

Edit External Patch
Management System

Policy Management

View Policy Details

Rule Management

View PDL Rule Details

Policy Management

View Policy Details

Rule Management

Can log on to
PolicyLab application

Policy Management

View Policy Details

Rule Management

Policy Management

View Policy Details

Rule Management

Import Preventsys
Policies

Update Policy Library
(user will still require a
Support account to log
on to the Support site)
User Authorization
Resource
Permission
Functions
Assessments
read only
Read (read only, no
adding or modifying
allowed)
50
Associated Screens

Assessment
Configuration
Management

Assessment
Configuration Details

Assessment Schedule
Management

Assessment Schedule
Details

Connector
Configuration
Management

Connector
Configuration Details

Assessment Status
Management –
Standard View and
Extended View

Assessment Status
dashboard portlet

Assessment Status
Details

Assessment XML
Results

Enterprise Group
Management

Enterprise Group
Details
Resource
User Authorization
Permission
Functions
Associated Screens
Assessment
Add/Edit/Copy/Delet
Configuration
e Assessment
Management
Configurations

Add Assessment
Configuration (must
have Asset:Read Only
or Asset:Modify
Exclusion Lists
permission to
view/add exclusion
lists to assessment
configurations)
modify
assessment
configurations
modify analysis
51
Can select a policy
and the threat
analysis option
when editing an
assessment
configuration

Edit Assessment
Configuration

Assessment Status
(must have
Asset:Read Only or
Asset:Modify
Exclusion Lists
permission to
view/add exclusion
lists to assessment
configurations)

Management Standard View

Assessment Status
dashboard portlet

Assessment Status
Details

Assessment XML
Results

Assessment
Configuration
Management

Edit Assessment
Configuration

Assessment Status

Assessment Status
dashboard portlet

Assessment Status
Details

Assessment XML
Results
Resource
User Authorization
Permission
Functions
import
Import To
Assessment
schedule
Add/Edit/Delete
Schedules/Execute
Now
Associated Screens

Assessment
Configuration
Management

Import Assessment
Data

Assessment Status

Assessment Status
dashboard portlet

Assessment Status
Details

Assessment XML
Results

Assessment
Configuration
Management

Assessment Schedule
Management

Assessment Status

Assessment Status
dashboard portlet

Assessment Status
Details

Assessment XML
Results

Assessment Status
cancel
Cancel
Assessments
pause
Pause/Resume
Assessments

Assessment Status
dashboard portlet
terminate all
Terminate All
Assessments

Assessment Status
Details
delete
Delete Assessments
hide
Hide Assessments
52
Assessment XML
Results
Resource
User Authorization
Permission
Functions
unhide
Unhide
Assessments

Assessment Status
dashboard portlet

Assessment Status
Details

Assessment XML
Results

Configure
Reanalysis and View
Reanalysis Status

reanalyze
modify connector
configurations
modify enterprise
groups
Threat Alerts
Associated Screens

Assessment Status
Management Extended View
read threat alerts
53
Add/Edit/Delete
Connector
Configurations
Re-Analysis
Management

Re-Analysis Status
Management

Connector
Configuration
Management

Add Connector
Configuration

Edit Connector
Configuration
Add/Edit/Copy/Delet
e/Activate

All Threats/Threat
Details/Latest
Threats
Select Order to View
Assessments
Enterprise Group
Management
Add Enterprise Group

Edit Enterprise Group

Top Threats

Latest Threats

All Threats

All Threats Filter tab

All Threats Column
Chooser tab

Threat Details

Asset Summary (must
have “Report
Management”

Remediation Details
(must have
“Remediations”
resource and either
“read only”, “assign”,
“prioritize”, or
“resolve” permission)
User Authorization
Resource
Permission
Functions
Reports
access reports
Read/Modify
Filter/View

Enterprise
Compliance,
Enterprise Trending,
Exposure, and
Compliance
Dashboard portlets
publish reports
Publish/Delete
Associated Screens

All Reports

Assessment Details
Published Reports
Management
¾
To access the Group Management screen

From the Preventsys menu, select Admin > Groups. The Group Management
screen appears.
Use the Group Management screen to view existing groups, create new groups, edit
existing groups, add and remove group members, and remove groups. You can also
view groups based on the networks to which they are associated by selecting the By
Network tab. Note that the Super User group cannot be edited, copied, or deleted.
You can only add and remove users from the Super User group.
Note: If you are a member of the Super User group, then all groups are displayed.
Otherwise, only groups to which you belong are displayed.
54
User Authorization
Adding Groups
Preventsys will automatically add you as a member to every User Group you create.
¾
To add a group
1
screen appears.
2
Click Add New Group. The Add Group screen appears.
3
Enter a name for the group and, if desired, a description.
4
Under Resource Permissions, select the permissions under each resource to
which the group should have access. Selecting the checkbox next to a resource
will select all permission for that resource. A gray check signifies that only some
permissions for a resource are selected.
Note: If a group is given both the Read Only and Modify permissions for the
same resource, the Modify permission will take precedence.
55
5
User Authorization
Under Network Permission, select the networks from the Available box to
which the group should have access. By selecting a network, you are allowing
all members of the group to view and modify content associated with that
network. For example, a group with permission to Network1 and the Resolve
Remediations permission can be assigned remediation tasks associated with
assets in Network1.
Note: If you are a member of the Super User group, then all networks are
displayed in the Available box. Otherwise, only networks within the range of
the network permissions that you have are displayed.
6
Click Submit to add the group.
Editing Groups
If the group is edited such that permissions or networks are removed from the
group, then members of that group will no longer have authorization to the removed
permissions and network ranges. The user must belong to another group or groups
with the same permission and network range combinations that were removed to
retain the same authorization.
¾
To edit a group
1
screen appears.
2
Click Edit for the group you want to modify. The Edit Group screen appears.
3
Edit the group as desired.
4
Select Submit to save your changes.
Deleting Groups
If a group is deleted, then members of that group will no longer have authorization to
the permissions and network ranges that were unique to that group. The user must
belong to another group or groups with the same permission and network range
combinations as the deleted group to retain the same authorization.
¾
To delete a group
1
screen appears.
2
Click Delete for the group you wanted removed. A confirmation pop-up box
appears.
3
Click OK to delete the selected group.
Adding and Removing Users from Groups
Use the Add and Remove Users function to add users (both local and remote) to and
remove users from the groups to which they belong.
56
User Authorization
If a user is removed from a group, then that user will no longer have authorization to
the permissions and network ranges unique to that group. The user must belong to
another group or groups with the same permission and network range combinations
as the group they were removed from to retain the same authorization.
Note: Preventsys will not allow a logged in user to remove himself/herself from the
Super User Group. Another logged in user with the correct permissions must
conduct this action on behalf of that user.
¾
To add and remove users from a group
1
On the Group Management screen, click Add/Remove Group Users. The
Add/Remove Users screen appears.
Note: All users are displayed regardless of the groups to which they belong.
2
Managing Users
All user administration is conducted from the User Management screen. From this
screen, you can view the list of existing users, including each user's username, full
name, email address, and authentication type (Local or Remote). You can also add
new users (both local and remote), edit existing users, and delete users. See User
Authentication (on page 38) for details about local and remote authentication.
57
User Authorization
¾
To access the User Management screen

From the Preventsys menu, select Admin > User. The User Management
screen appears. The By User tab is selected by default.
From this screen, you can view the list of existing users, including each user's
username, full name, email address, and authentication type (Local or Remote). You
can also add new users, edit existing users, and delete users.
Note: The By User tab displays all users regardless of your group permissions.
If you select the By Group tab, you can view a list of existing groups and their
members.
Note: The By Group tab displays all groups and their members regardless of your
group permissions.
58
User Authorization
About Passwords
Preventsys supports a strong password policy. All local user passwords must meet
the following standards. Preventsys does not enforce password formats for remote
users.

Must be between 7 and 20 characters

Must contain at least one upper case and one lower case character

Must contain at least one number
Note: Preventsys' password policy will be applied whenever a new user is added or
a password is changed. Existing passwords that do not meet this policy will
continue to be accepted by Preventsys. Therefore, you should ask all users to
change their passwords if you want them to adhere to this policy.
Adding Local User Accounts
All local users must be assigned a username, password, full name, and email
address. In addition, users should also be added to at least one group that has the
resources and permissions desired.
¾
To add a local user
1
From the Preventsys menu, select Admin > User. The User Management
screen appears.
2
Click Add New User. The Add User screen appears.
3
Select the Local User tab.
4
Enter a username (case insensitive), enter and confirm a password (case
sensitive), enter a full name, and enter an email address.
5
From the Groups box, select the groups to which you want the user to belong.
59
User Authorization
Note: If you are a member of the Super User group, then all groups are
displayed in the Groups list. Otherwise, only the groups to which you belong are
presented.
6
Click Submit to add the user.
Note: If you have an external remediation system configured in Preventsys, the
Associate External Remediation User screen is displayed following the creation of a
new user. See To create an associated external remediation user page 191 for
details.
Adding Remote User Accounts
After a connection to an active directory (AD) is established, you can add remote user
accounts for users associated with that AD.
¾
To add a remote user
1
From the Preventsys menu, select Admin > Users. The User Management
screen appears.
2
Click Add New User. The Add User screen appears.
3
Select the Remote User tab. The Add Remote User screen appears.
4
Click Apply Filter to view the users associated with the AD server to which you
created a connection.
60
User Authorization
Note: To view AD built-in users as well as other AD users, enter * in the User
Name text box, and click Apply Filter.
5
To refine the list of users displayed further, use the following filter criteria.

User name: The name of the user within the Base DN that was entered for
the LDAP server connection in the previous section. For example jdoe.

Full name: The full name of the user within the Base DN. For example
John Doe.

Email: The email of the user. For example [email protected].

Domain: The domain of the user(s). For example POLCAP2.local where the
Base DN search string was set using DC=POLCAP2,DC=local with the
domain components POLCAP2 and local.

Group: The name of the group within the LDAP subtree to be searched.
For example, engineering or hr.
61

User Authorization
Users: By selecting Available Users will search for LDAP users that are not
already in Preventsys. When selecting All Users the search will return all
LDAP users that match the search criteria, even if they have already been
added to Preventsys. Note: the users that have already been added to
Preventsys will have the checkboxes grayed out so that they cannot be
added.
6
Select the checkbox next to the User Name for each user you want added to
Preventsys. To select all users on the page you are viewing, select the
checkbox in the column header. To select all users on all pages, select All on
All Pages.
7
In the Groups box, select the groups to you which you want the selected users
to belong.
8
Note: If you want this user to be associated with an external remediation user, see
Associating an External Remediation User with a Preventsys User (on page 191) for
details.
Editing User Accounts
You cannot edit your own username. Only a user belonging to the Super User group
or a user belonging to a group with the Users resource, the Modify Users
permission, and the same network associations as your group can make this change
for you.
Note: Only users belonging to the Super User group can modify the accounts of
other users belonging to this group.
¾
To edit a local user
1
screen appears.
2
Click Edit for the local user you want to modify. The Edit Local User screen
appears.
3
Edit the user's information as desired.
4
¾
To edit a remote user
1
screen appears.
2
On the User Management screen, click Edit for the remote user you want to
modify. The Edit Remote User screen appears.
3
In the Groups box, select the groups to you which you want the selected users
to belong.
4
To verify the user in the active directory (AD), click Verify. Preventsys retrieves
the user's full name, user DN, and email address. If Preventsys cannot contact
the AD or the user cannot be found, a notification message appears.
5
62
User Authorization
Deleting User Accounts
You cannot delete yourself. If there is only one user in the Super User group, you
also cannot delete that user.
How Remediation Tasks Are Affected
If a user is deleted that has open remediation tasks assigned to them, those tasks
are automatically changed to the Unassigned state by Preventsys. For example, if
JohnSmith has four remediation tasks that are not resolved (that is he has not
changed their statuses to Claimed Resolved, False Positive, or Accepted Risk),
Preventsys will automatically change the status of these four tasks to Unassigned
after his account is deleted. These tasks can now be reassigned to a different user.
See About the Remediation Lifecycle and Workflows (on page 165) for details.
If a user is deleted who has remediation tasks assigned to them that are in the
process of being patched by an external patch management system, the patching
process will continue. However, the tasks may be reassigned as described
previously.
¾
To delete a user account
1
screen appears.
2
On the User Management screen, click Delete for the user you want removed.
A confirmation pop-up box appears.
3
Click OK to delete the selected user. The user's account is removed from
Preventsys. Note that remote users are disassociated from Preventsys when
deleted. The associated active directory itself is not altered. These users can be
given access again by following the Add User Account instructions provided in
this chapter.
Editing Your User Information
If you are a local user, you can change your password, name, and email address.
Note: You cannot edit your username. Only a user belonging to the Super User
group or a user belonging to a group with the User resource, Modify Users
permission, and the same network associations as your group can make this change
for you.
¾
To edit your user information
1
Click your username in the upper right-hand corner of any screen next to the
word Hello.
63
User Authorization
2
On the My Details screen, modify your information as desired.
3
64
Chapter 6
Assets and Networks
Before Preventsys can perform assessments on your networks, you must first define
those networks. This chapter discusses how to add networks, assets, and network
groups.
Useful Terms

Asset: An Asset is an IP-based system (for example, a router, switch, server, or
firewall).

Service: A Service specifics whether the given service runs under TCP or UDP
and the port that the service runs on. Services are associated with Host
Property Specifications to specify which services are required or prohibited for
an asset.

Host Property: A Host Property defines the asset/host type (for example,
Trusted, Firewall, and Router). This allows policy violations, in the context of
asset type, to be detected during an analysis.

Network: A Network is defined as a collection of IP-based systems (for
example, routers, switches, servers, and firewalls) that are grouped as a logical
unit. For example, a Finance Network might include all servers, routers, and
systems that service the finance department.

Network Property: A Network Property defines the network type (for example,
DMZ, Private, Public). This allows for the detection of policy violations in the
context of network type during analysis if a policy is used. Network properties
can be exclusive or non-exclusive.

Time Window: A Time Window specifies the times at which Preventsys is
allowed to conduct assessments on a give network.

Network Group: A Network Group is a network or a selection of networks that
you group together for the purposes of assessment. When creating an
Assessment Configuration, you will select the network group you want to
assess.

Exclusion List: An Exclusion List specifies the assets that you want Preventsys
to ignore during an assessment.
Managing Assets
Each asset represents a specific machine on your network and must have a name,
an IP address, a unique ID, an operating system, a description, a host property, a
financial impact, and an operational impact value.
65
Assets and Networks
The unique ID represents either a static IP address or a MAC address in DHCP
systems. This unique ID is used to identify assets despite potential changes to asset
name or IP address.
Host properties are used to define the type of asset, allowing for the detection of
policy violations in the context of asset type during analysis.
The financial impact of an asset (for example, its replacement cost) is used for
calculating assets at risk data. If you wish to assign a specific dollar value to an
individual asset, you can do so using the Edit Asset function. Assets that are not
assigned a financial impact will utilize the average value assigned to the parent
network.
The hourly operational impact is the cost that you would incur from an operations
perspective (for example, the amount of work time lost $ per/hour) if a machine was
compromised. This value is used for calculating exposure risk, which is displayed on
the Security Risk Dashboard. Assets that are not assigned a operational impact will
utilize the average value assigned to the parent network.
After adding the networks you want to assess, creating and running an assessment
will trigger the Dynamic Address Resolution process which automatically populating
Preventsys with asset data. You can then edit these assets and add information
such as the asset's unique ID, host property, and dollar value. While this process will
automatically retrieve asset data as part of the assessment process, you can also
manually add and delete assets.
Note: The Unique Host ID must match the IP or MAC address of an asset. If you
add or edit an asset such that the Unique Host ID no longer matches the IP address
and an assessment is conducted against a static network containing that IP, the
assessment will filter out results from that host. To resolve this issue, edit the
asset's IP and Unique Host ID to be the same and run a new assessment.
Declared verses Discovered Asset Data
Asset data can either be discovered or declared. Discovered asset data is
information about an asset obtained during an assessment. Declared asset data is
information about an asset that you manually enter or import into Preventsys.
Preventsys always gives precedence to declared asset data over discovered asset
data. Therefore, changes you make to declared data will be used and displayed in
the application.
Discovered asset data is information about an asset obtained from state data, such
as scan results. Declared asset data is information about an asset's configuration
that you either manually enter or import into Preventsys.
Declared data consists of IP address, MAC address, Hostnames, and Operating
Systems. Because the Hostname and Operating System are non-primary keys, they
are given precedence in Preventsys.
66
Assets and Networks
The declared data is generally displayed in reports, both current and historical.
Therefore, declared data will override any previous data that would have been
displayed in a report. This implies that the current declared data will also appear in
historical reports. If there is no declared or discovered data for a field (for example,
no OS data), then a message stating that the data is unknown will be displayed.
All asset administration is conducted from the Asset Management screen.
¾
To access the Asset Management screen

From the Preventsys menu, select Admin > Assets. The Asset Management
screen appears.
From the Asset Management screen, you can view a list of existing assets, view
details about an asset, add new assets, edit existing assets, and delete assets.
Note: If you are a member of the Super User group, then all assets are displayed.
Otherwise, only assets that are within the range of the network permissions of the
groups to which you belong are displayed.
Adding an asset
Assets are generally acquired using the Dynamic Address Resolution Connector
(DARC) during the assessment process. New assets only need to be added
manually in rare instances where the DARC cannot acquire basic asset data. For
example, if DARC is not able to generate the required data on packet-filtered assets
or assets with sporadic uptimes.
¾
To add an asset
1
screen appears.
67
Assets and Networks
2
Click Add New Asset. The Add Asset screen appears.
3
Enter an asset name, IP address, unique ID, operating system, and, if desired, a
description.
Note: You can only enter assets that are within the range of network
permissions for the groups to which you belong.
4
From the Host Properties box, select the properties you want the asset to
have.
5
Change the financial impact and operational impact per hour costs if desired, or
use the default values.
6
Click Submit to save the asset.
Editing an asset
The Dynamic Address Resolution Connector (DARC) automatically retrieves basic
asset data as part of the assessment process. However, host properties and dollar
values must be assigned manually by editing the asset.
¾
To edit an asset
1
screen appears.
2
Click Edit for the asset you want to modify. The Edit Asset screen appears.
3
Edit the asset's information as desired.
68
Assets and Networks
Note: In general, it is recommended that you do not edit the Unique ID field.
This is the value used to track hosts across successive assessments. The
Unique ID should only be edited for manually added hosts or for hosts that
change to a new static IP address.
4
Deleting an Asset
Assets are normally deleted automatically by the Dynamic Address Resolution
Connector (DARC) as part of the assessment process. Assets only need to be
deleted manually in rare instances where DARC cannot track the selected asset (as
in the case of manually added assets) or where the assessment process is causing
errors on the specified asset. For example, if the assessment process is causing a
printer to crash, you can manually delete the printer's asset to alleviate the problem.
¾
To delete an asset
1
screen appears.
2
Click Delete for the asset you want removed. A confirmation pop-up box
appears.
3
Click OK to delete the selected asset.
Managing Host Properties
Assets are categorized into types referred to as Host Properties (for example,
routers, and firewalls). During analysis, host properties allow for the detection of
policy violations in the context of asset type when PDL policies are applied to
assessment results.
For example, the Webserver_Constraint host property may be applied to dedicated
Web servers to ensure that they run no services other than SSHD (Secure Shell
Daemon) and HTTPD (Hyper Text Transfer Protocol Daemon). A policy violation will
be reported if any other services are detected when assets with the
Webserver_Constraint host property are assessed.
There are two types of host properties: Label and Specification. A Host Property
Label is used to define a list of assets that may or may not have any common
network characteristics. A Host Property Specification also defines a list of assets as
well as specifies a list of services that are required or prohibited for each of those
assets.
69
Assets and Networks
For example, if a company's development machines do not prohibit or require that
any specific services are running, a host property label can be used to identify the list
of assets that are considered development machines. However, machines such as
Commerce Servers often have specific common characteristics. For example, in
most corporations, Commerce Servers typically require HTTPS, may require HTTP,
and prohibit insecure services like telnet. In this case, you can use a host property
specification to define the list of assets that are commerce servers and define which
services are required, allowed, and prohibited from running on them.
Label-based host properties include a name only, while specification-based host
properties include a name, description, solution, severity level, and service mappings,
as well as an indicator determining whether the host property should be applied to all
assets. The description provides basic information about the host property. The
solution includes a text description and/or links for alleviating policy violations
associated with the selected host property. Severity levels range from 1 to 100, with
100 being the most severe.
Preventsys provides a set of standard Host Property Specifications and Host
Property Labels for you. Refer to Preventsys Policy Reference Guide for a list of
these.
All Host Property administration is conducted from the Host Property Management
screen.
¾
To access the Host Property Management screen

From the Preventsys menu, select Admin > Host Property. The Host
Property Management screen appears.
From the Host Property Management screen, you can view a list of existing
properties, add new properties, edit existing properties, and delete properties.
70
Assets and Networks
Adding a Host Property
Use the Add Host Property function to create new host properties.
¾
To add a host property
1
From the Preventsys menu, select Admin > Host Property. The Host Property
Management screen appears.
2
Click Add New Host Property. The Add Host Property screen appears.
3
Enter a host property name (80 characters maximum; no spaces).
4
Select the type of host property you want; either Specification or Label. If you
selected Label, skip to Step 9.
5
Enter a description and solution for the host property, and select a severity level.
6
If you want the host property automatically applied to all existing assets as well
as new assets, select Apply to all assets.
Note: The Apply to all Assets option will only apply the property to assets that
are within the range of network permissions for the groups to which you belong.
7
Specify how you want Preventsys to handle the services for which do not
identify a mapping in Step 8.
8
Specify which services you want to be mandatory, allowed, or prohibited for the
host property by selecting a Type of Mapping for each service.
9
Editing a Host Property
Use the Edit Host Property function to edit existing specification-based host
properties. Specification-based host properties cannot be changed to Label-based
host properties.
71
Assets and Networks
Note: Label-based host properties cannot be edited. Since these properties only
need a name, they can be replaced easily and as necessary.
¾
To edit a host property
1
From the Preventsys menu, select Admin > Host Properties. The Host
2
Click Edit for the Specification host property you want to modify. The Edit Host
Property screen appears.
3
Edit the host property information as desired. Note that a host property name
cannot be modified.
4
Deleting a Host property
Use the Delete Host Property function to remove existing host properties that are no
longer utilized on their networks. This screen features two dialog boxes, one listing
Specification host properties and one listing Label host properties.
¾
To delete a host property
1
From the Preventsys menu, select Admin > Host Property. The Host Property
2
Click Delete for the property you want removed. A confirmation pop-up box
appears.
3
Click OK delete the selected host property.
Managing Services
As discussed previously, a Host Property Specification defines a list of assets as well
as specifies a list of services that are required or prohibited for each those assets.
Preventsys ships with the following standard services. You can also add custom
services using the Add Service function described in this section.
Service Name
Protocol
Port
BearShare
tcp
6346
Blubster
udp
41170
bootp
tcp
67
bootp
udp
67
chargen
tcp
19
chargen/udp
udp
19
daytime
tcp
13
daytime/udp
udp
13
72
Assets and Networks
Service Name
Protocol
Port
deslogin
tcp
2005
dhcp client
tcp
68
dhcp client
udp
68
discard
tcp
9
discard/udp
udp
9
domain
tcp
53
domain
udp
53
echo
tcp
7
echo/udp
udp
7
eMule
tcp
4662
exec
tcp
512
finger
tcp
79
ftp
tcp
21
Gnutella
tcp
6346
Gnutella
udp
6346
Hotline Server
tcp
5500
http
tcp
80
https
tcp
443
imap
tcp
143
ipsec
udp
500
Kazaa
tcp
1214
ldap
udp
389
lockd
udp
4045
loc-srv
tcp
135
login
tcp
513
Microsoft-DS
tcp
445
microsoft-ds
udp
445
ms-sql-m
udp
1434
ms-sql-s
tcp
1433
ms-sql-s
udp
1433
MySQL
tcp
3306
Napster
tcp
8875
73
Assets and Networks
Service Name
Protocol
Port
Napster
tcp
8888
netbios
tcp
135
netbios
tcp
136
netbios
tcp
137
netbios
tcp
138
netbios
tcp
139
netbios
udp
135
netbios
udp
136
netbios
udp
137
netbios
udp
138
netbios
udp
139
netbios-ssn
tcp
139
netstat
tcp
15
netstat/udp
udp
15
nfs
udp
2049
nntp
udp
119
ntp
udp
123
Oracle SQL*NET
tcp
1521
pop3
tcp
110
portmap
udp
111
postgres
tcp
5432
printer
tcp
515
qotd
udp
17
shell
tcp
514
smtp
tcp
25
snmp
udp
161
snmp
udp
162
snpp
tcp
444
Soulseek
tcp
2234
ssh
tcp
22
sunrpc
tcp
111
Sybase
tcp
2638
74
Assets and Networks
Service Name
Protocol
Port
syslog
udp
514
systat
udp
11
telnet
tcp
23
tftp
udp
69
time
tcp
37
time
udp
37
UPnP
tcp
5000
uucp
tcp
540
webcache
tcp
8080
WinMX
tcp
6699
WinMX
udp
6257
x11
udp
6000
Each service includes a service name, a protocol, and a service port. The service
port represents the port that the service runs on. The protocol indicates whether the
service runs under TCP or UDP.
All services administration is conducted from the Services Management screen.
¾
To access the Services Management screen

From the Preventsys menu, select Admin > Services. The Services
75
Assets and Networks
On the Services Management screen, you can view a list of existing services (both
active and not), add new services, edit existing services, and delete services. An
active service (Active = Yes) means that the service is available for use. A
deactivated service (Active = No) means that the service was deleted and is only
being displayed for historical reference and reporting purposes.
Adding a Service
Use the Add Service function to create new services.
¾
To add a service
1
2
Click Add New Service. The Add Services screen appears.
3
Enter a service name, service port, and select a protocol.
Note: An active service can have the same name as a deleted service, but no
two active services can have the same name.
4
Editing a Service
Use the Edit Service function to edit previously created services.
Note: You can only edit active services. Inactive services are actually deleted
services and are only displayed for reference.
76
Assets and Networks
¾
To edit a service
1
2
Click Edit for the service you want to modify. The Edit Service screen appears.
3
Modify the service as desired.
4
Deleting a Service
Use the Delete Service function to remove existing services. When a service is
deleted, it is still kept for historical and reporting purposes in Preventsys. Therefore,
when a service is deleted, the Active row will change from Yes to No. You cannot
reactivate a deleted service.
Note: To delete a service associated with a host property, you must first remove the
association by editing the host property.
¾
To delete a service
1
2
Click Delete for the service you want removed. A confirmation pop-up box
appears.
3
Click OK delete the service. Preventsys still displays the deleted service, but
with a deactivated status (Active = No).
Managing Exclusion Lists
Use an Exclusion List to specific assets or ranges that you want Preventsys to ignore
during an assessment. You can configure an Exclusion List so that it is automatically
applied to all assessments (even those that already exist), or so that it must be
selected each time you create an assessment.
All exclusion list administration is conducted from the Exclusion List Management
screen.
77
¾
Assets and Networks
To access the Exclusion List Management screen

From the Preventsys menu, select Admin > Exclusion Lists. The
Exclusion List Management screen appears.
Note: If you are a member of the Super User group, then all exclusion lists are
displayed. Otherwise, only exclusion lists that are within the range of the network
permissions of the groups to which you belong are displayed.
Adding an Exclusion List
When you create an exclusion list, you are specifying that a certain asset or range of
assets be ignored by Preventsys when the list is manually applied to an assessment.
You can also have exclusion list that are automatically applied to all assessments.
Note: You can only create lists that are within the range of the network permissions
of the groups to which you belong are displayed.
¾
To add an exclusion list
1
From the Preventsys menu, select Admin > Exclusion Lists. The Exclusion
List Management screen appears.
2
Click Add New List. The Add Exclusion Lists screen appears.
78
Assets and Networks
Note: You can also create a new Exclusion List based on an existing list by
selecting Copy for the list you want to duplicate.
3
Enter an exclusion name, description, and the assets you want excluded during
assessments. Each asset you enter must be separated by a RETURN.
Note: Assets can be entered as single IPs, ranges, or using Classless InterDomain Routing (CIDR) extensions. Click Help for examples of these formats.
4
To save your settings, click Submit. You can now apply this list to individual
assessments.
Making an Exclusion List Global
When you make an exclusion list global, it is automatically applied to all
assessments, including existing ones that have already been scheduled.
¾
To make an exclusion list global
1
79
2
Assets and Networks
Click Make Global for each list that you want automatically applied to all
assessments. Notice that the globe icon changes color when the list is made
global.
Note: Global lists are not displayed on the Add or Edit Assessment screens.
3
To make the list not global, click Un-Globalize. Notice that the globe icon turns
from the color blue to gray for the non-global list.
4
The list will no longer be automatically applied to all assessments, but you can
still apply it to individual assessments when creating an Assessment
Configuration (see Managing Assessment Configurations (on page 133)).
Editing an Exclusion List
When you edit an exclusion list, changes are automatically applied to future
assessments. Therefore, you do not need to edit the assessments that reference
the list.
¾
To edit an Exclusion List
1
On the Exclusion List Management screen, click Edit for the list you want to
modify. The Edit Exclusion List screen appears.
2
Edit the list as desired.
3
80
Assets and Networks
Deleting an Exclusion List
Use the Delete Exclusion List function to remove existing exclusion lists.
¾
To delete an exclusion list
1
2
Click Delete for the list you want removed. A confirmation pop-up box appears.
Note: If the list you want to delete is associated with an assessment
configuration, a warning message is displayed. You must remove the list by
editing the associated assessment configurations before you can delete the list.
3
Click OK to delete the selected list.
Managing Networks
Each network represents a specific cluster of assets. Each network must have a
network name, an IP range (for range-based networks) or IP address/network mask
(for mask-style networks), a static/DHCP configuration, an average financial impact
for each individual device on the network, and an average operation impact for each
asset per hour. Preventsys allows networks to contain IP ranges as well as
individual, nonconsecutive IPs (also referred to as noncontiguous IPs). For example,
Network A = 10.4.1.1-10.4.1.3, 10.4.1.5, 10.4.1.7.
The average financial impact (for example, the replacement cost) of each individual
device on the network is used to calculate assets at risk. This average value is used
to determine the value of each asset for which no dollar value was specified. When
no value is specified, the average financial impact of each individual device on the
network defaults to $1,500.00. If the assets associated with the network have not
been assigned a financial impact value, they will utilize this default value. This allows
you to assign value easily to large groups of similar assets at one time.
The hourly operational impact is the cost that you would incur from an operations
perspective (for example, the amount of work time lost $ per/hour) if a machine was
compromised. This value is used for calculating exposure risk, which is displayed on
the Security Risk Dashboard. When no value is specified, the operational impact of
each individual device on the network defaults to $750.00. If the assets associated
with the network have not been assigned an operational impact value, they will
utilize this default value. This allows you to assign value easily to large groups of
similar assets at one time.
81
Assets and Networks
Network Hierarchy
Preventsys recommends adding networks in a hierarchical top-down approach. This
allows you to create one large network range, and then several small sub networks.
These sub networks can then be assigned to their individual administrators via user
groups. For example, if your network range is 10.4.1.2-10.4.1.118, then you might
add a network for that range and then add several other sub networks based on lineof-business, or other logical grouping.
The administrators assigned to these sub networks can then administrate them as
desired by creating other sub networks and allowing access via user groups.
Remember that a user will automatically be given the same permissions to a
network that is within the range of a network that is associated with a user group to
which they belong.
Network Properties
Network properties are used to define the type of network, allowing for the detection
of policy violations in the context of network type during analysis. Network
properties can be exclusive or non-exclusive. Networks can also support multiple
non-exclusive network properties. See Network Properties (on page 82) for details.
For example, an Accounting network might be set up for all systems in an office's
accounting department, encompassing the entire range of IP addresses from
10.10.10.50 through 10.10.10.100. Applying network properties to this Accounting
network would then allow for the detection of policy violations based on specific
types of services or network activity that are prohibited in the Accounting
department while being permissible in other parts of the office.
Network Group Auto-Create Option
When you add a new network, you have the option of having Preventsys
automatically create a network group with the same name and containing the new
network. If this network is subsequently deleted via the Delete Network function,
the automatically generated network group of the same name will also be deleted if
it has not been modified to contain any additional networks that still exist.
All Network Management is conducted from the Network Management screen.
82
¾
Assets and Networks
To access the Network Management screen

From the Preventsys menu, select Admin > Network. The Network
From the Network Management screen, you can view a list of existing networks, add
new networks, edit networks, and delete networks.
Note: If you are a member a of the Super User group, then all networks are
displayed. Otherwise, only networks that are within the range of the network
Time Windows
You can identify when assessments can take place per a given network by specifying
times windows for that network. For example, if you enter 1:00 AM to 3:00 PM on
Weekends. Preventsys will run assessments for the associated network only
between 1:00 AM and 3:00 PM on Saturday and Sunday. If an assessment cannot be
completed during the specified time window, Preventsys will pause the assessment
until the window reopens and then complete the assessment.
Note: Time windows cannot be for less than one hour. If you do not provide a time
window, the default is anytime.
83
Assets and Networks
Adding a Network
Use the Add Network function to create new networks.
Note: Assets within a network cannot overlap.
¾
To add a new network
1
2
Click Add New Network. The Add Network screen appears.
Note: You must be a member of a group with permission for at least one
network to add a network.
3
Enter a network name. If there are assets you want included in the network,
enter them in the Asset box.
If there are networks you want included in the network, add them from the
existing networks Available box. The network must include at least one asset or
network.
84
Assets and Networks
Note: If you are a member of the Super User group, then you can add any asset.
Otherwise, you can only add assets that are within the range of network
permissions for the groups to which you belong. If you are a member of the
Super User group, then all networks are displayed. Otherwise, only networks
that are within the range of the network permissions of the groups to which you
belong are displayed.
4
To have a network group automatically created based on this network, select
Create Default Network Group. The created network group will have the
same name as the network.
5
Select the type of IP Protocol you want utilized and the types of network
properties you want applied.
6
Modify the impact costs associated with the network if desired, or keep the
default values.
7
Select the groups that should have access to this network.
Note: You can also associate networks to groups when creating or editing
groups. If you are a member of the Super User group, then all groups are
displayed. Otherwise, only groups to which you belong are displayed.
8
Enter one or more time windows for this network if desired. If you do not enter
a time window, the default is anytime.
9
Click Submit to add the network.
Editing a Network
Use the Edit Networks function to edit existing networks.
¾
To edit an existing network
1
2
Click Edit for the network you want to modify. The Edit Network screen
appears.
3
Edit the network as desired.
4
Deleting a Network
Use the Delete Network function to remove existing networks.
¾
To delete a network
1
2
Click Delete for the network you want removed. A confirmation pop-up box
appears.
3
Click OK to delete the selected network.
85
Assets and Networks
Managing Network Properties
All networks require network properties to define a network type for analysis.
Network properties allow for the detection of policy violations in the context of
network type when PDL policies are applied to assessment results.
Preventsys ships with the following network properties:

DMZ: Represents a network segment in which some ports are publicly
accessible from the Internet while the majority of ports are filtered from
public access.

Public: Represents a network segment that is open to public access.

Private: Represents a network segment that is restricted from public
access.
Custom network properties may be created and manipulated via the Add Network
Properties and Delete Network Properties functions.
Network Properties can also be exclusive or non-exclusive. A network can only be
associated with one exclusive network property. A network can also be associated
with multiple non-exclusive network properties in addition to or instead of an
exclusive network property.
For example, an Engineering network property can be created and applied to all
networks in an office's Engineering department. A simple PDL rule can then be
developed to flag file sharing services and other prohibited network activity in the
Engineering department as policy violations.
All Network Property administration is conducted from the Network Property
Management screen.
86
¾
Assets and Networks
To access the Network Property Management screen

From the Preventsys menu, select Admin > Network Property. The
Network Property Management screen appears.
From the Network Property Management screen, you can view existing properties,
add new properties, and delete properties.
Adding a Network Property
Use the Add Network Property function to create new network properties.
¾
To add a new network property
1
From the Preventsys menu, select Admin > Network Property. The Network
87
Assets and Networks
2
Click Add New Network Property. The Add Network Property screen appears.
3
Enter a property name. If you want this new network property to be exclusive
to a single network, select Exclusive.
4
Click Submit to add the network property.
Deleting a Network Property
Use the Delete Network Properties function to remove existing network properties.
Note: Deleting a network property will remove it from all networks that reference
the property.
¾
To delete a network property
1
From the Preventsys menu, select Admin > Network Property. The Network
2
Click Delete for the property you want removed. A confirmation pop-up box
appears.
3
Managing Network Groups
Network group management encompasses adding, editing, and deleting network
groups.
Network groups represent clusters of networks that are grouped for the purposes of
performing assessments and analysis. To assess a network, it must first belong to a
network group. If you wish to assess an individual network, you must first create a
network group containing the selected network.
88
Assets and Networks
Note: If the Create Network Group option is selected when a network is added,
Preventsys automatically creates a network group with the same name as the
network and containing the network. However, if the logged in user is not directly
associated to this network (via a group), then they will not be able to view the
network group. See Direct Association (on page 42) for details.
Each network group includes a network group name and a group of included
networks.
Note: Networks within a network group cannot overlap.
All Network Group administration is conducted from the Network Group
Management screen.
¾
To access the Network Group Management screen

From the Preventsys menu, select Admin > Network Group. The
Network Group Management screen appears.
Note: If you are a member of the Super User group, then all network groups are
displayed. Otherwise, only network groups that are made up entirely of networks
within the range of the network permissions of the groups to which you belong are
displayed.
Adding a Network Group
Use the Add Network Group function to create new network groups.
¾
To add a new network group
1
From the Preventsys menu, select Admin > Network Group. The Network
Group Management screen appears.
89
Assets and Networks
2
Click Add New Network Group. The Add Network Group screen appears.
3
Enter a network group name and select the networks you want included in the
network group.
Note: If you are a member of the Super User group, then all networks are
displayed. Otherwise, only networks that are within the range of the network
4
Click Submit to save the network group.
Editing a Network Group
Use the Edit Network Group function to edit existing network groups.
¾
To edit an existing network group
1
2
Click Edit for the Network Group you want to modify. The Edit Network Group
screen appears.
3
Edit the network group as desired.
4
Deleting a Network Group
Use the Delete Network Group function to remove network groups.
¾
To delete a network group
1
90
Assets and Networks
2
Click Delete for the Network Group you want removed. A confirmation pop-up
box appears.
3
Importing Asset and Network Data Files
Preventsys supports the file-based import of asset and network configuration data.
Files can be imported from the Administrative Client or using the Preventsys Import
Utility, a command-line tool. You can also use the Preventsys ePO extractor to
extract asset and network configuration data from your McAfee ePolicy
Orchestrator® into a file that can be then imported into Preventsys. See Importing
ePO Asset and Network Data (on page 101) for details.
Supported File Formats
The system will only support the import of network and asset data that is in a CSV or
XML format. Preventsys cannot verify if the file is CSV or XML, so make sure you
submit a valid file or the import will fail.
You can import files in a compressed format when using the Administrative Client.
Compressed files are not supported when using the Import Utility. Preventsys
recommends compressing your file if it is larger than 1MB to avoid timeout failures.
If you are importing a compressed file, only the .zip format is allowed; other
compression formats such as .tar, .gz, and .rar are not allowed. In addition, there can
be only one file within the zipped file and it must be in the CSV or XML format.
When importing asset data, the data in the file must map to the following CSV
format:
asset name, IP, unique id, OS, description, host property1;host
property2, financial impact $, operational impact $
When importing network data, the data in the file must map to the following CSV
format:
network name, IP/CIDR;IP-IP;IP:NETMASK;IP, childnetwork1;childnetwork2,
STATIC|DYNAMIC, avg. financial impact $, avg. operational impact $,
network group1;network group2, user group1;user group2
To avoid performance issues, do not import more than 20,000 networks or 100,000
assets per file.
Also see Sample XML/Schema for Asset and Network Import (on page 355).
91
Assets and Networks
Importing Multiple Files
The system will only allow one import to be run at one time. The system will display
the message, “An import is in progress. Please wait until it has finished.” to the
user if an import is attempted when another import is still in progress.
Data Creation and Modification
Preventsys supports three types of import: Update (adding), Replace (overwriting),
and Delete (removal). If an import cannot be processed, Preventsys automatically
rolls back the import so that no new records are created or modified.
Updating
Use the Update operation to add new networks to Preventsys. If the same new
network name appears in more than one row in the import file, the system will only
use data from the last row processed with that network name to create the new
network.
You can also use the Update operation to add new data to existing network data for
fields that allow multiple values. For example, new IP range, new child network (all
IPs are present within an existing network), new network group, and new user group
or new host property. If the same network name appears in more than one row in
the import file, the system will add data from each row with that network name to
create the new network.
The Update operation also allows new network data to overwrite existing network
data for fields that do not allow multiple values. If the same network name appears
in more than one row in the import file, the system will only use data from the last
row processed with that network name to overwrite the existing network. The
Update operation does not allow existing networks to be removed, existing assets to
be removed, or existing child networks to be removed.
Note: The IP address of an asset must be within the range of an existing network in
Preventsys when it is created or updated.
Replacing
The Replace operation will remove existing child networks if they are not specified in
the imported data. If a child network is the only IP range associated with the named
network, the system will ignore the removal request for that child network and
discard the record.
If a network is removed from a network group as the result of the replace operation
and that network was the only network in the network group, removing the network
will also remove that network group. This is because Preventsys does not allow
empty networks groups.
The Replace operation does not allow existing networks to be removed.
92
Assets and Networks
Deleting
The Delete operation will mark the specified networks as deleted. If there is only
one network in a network group, removing that network will also remove the
network group. This is because Preventsys does not allow empty networks groups.
For Network imports, the Delete operation only requires that the Network Name be
valid. For Asset imports, only the Unique ID must be valid.
Optional fields left blank will be assigned the default value if there is one. For fields
that can have 0 to multiple values, leaving it blank means no value.
Optional fields that are populated must pass validation checks or the network record
will be discarded.
Required fields must be populated with data that passes the validation checks or the
network record will be discarded.
Required and Optional Data File Elements
The following table presents the definitions for the required and optional elements
that will be allowed in the import file.
Element
Format
Description
Asset /
Network
Validation Checks
Network
name
[Char]+
Name of network
Network
Required
Must be unique
(networks with the
same name will be
treated as the same
network
Cannot be longer than
50 characters
Asset
name
[Char]+
Name of asset
Asset
Optional
No default
50 characters
IP
Range(s)
Empty or semicolon separated
IP-Range(s)
IP range(s)
expressed using
CIDR notation,
hyphenated IP
IPrange, IP with
Range=[IP/CIDR |
netmask, or
IP-IP |
single IP
IP:NETMASK |
IP]
93
Network
Optionally required required if no child
network is specified
No default
Multiple ranges may
be specified by using
a semi-colon as the
delimiter
Assets and Networks
Element
Format
Description
Asset /
Network
IP
[0-255].[0-255].[0- IP address for the Asset
255].[0-255]
named asset
Validation Checks
Required
Must be unique
IP must be within the
range of an existing
network
Unique ID
[IP|MAC]
IP is as above.
Unique ID for the
named asset, IP
or Mac Address
Asset
Must be unique
MAC is “:” or “-”
separated MAC
address or MAC
address without
separator.
OS
[Char]+
Required
Should be an IP
address or a MAC
address
Should be within a
range of an existing
network when it's
added
Operating system Asset
the named asset
is running on
Not Required. The
value will be replaced
with unknown, if it is
empty.
50 characters
Descriptio
n
[Char]+
Description of the Asset
named asset
Optional
No default
100 characters
Special characters
allowed
Host
Property
Host-Property(s)
Host property of
the named asset
Asset
Optional
No default
Host property name
must already exist
Host-Property=
[Char]+
Multiple host
properties may be
specified by using a
semi-colon as the
delimiter
94
Element
Format
Assets and Networks
Description
Asset /
Network
Validation Checks
Child
Empty or semiName of a
Network
network(s) colon separated network that
Child-Network(s). already exists in
the system which
Childthe user wants
Network=[Char]+
nested within the
named network
(equivalent of
adding an existing
network to a new
network)
Optionally required required if no
IP/CIDR;IPIP;IP:NETMASK;IP
specified
Network
Type
Optional
[Static | Dynamic] Type of network:
static IP
addresses or
DHCP
Avg.
Financial
Impact
Float
Avg.
Operation
al Impact
Float
Network
No default
Network name must
already exist
Default is Static
Only one option
maybe used per
network
Dollar amount
Asset
representing
/Network
average asset
financial impact of
the named asset
or network
Optional
Dollar amount
representing
average asset
operational
impact
Optional
95
Asset
/Network
Default is 1500.00
Default is 750.00
Assets and Networks
Element
Format
Description
Asset /
Network
Validation Checks
Network
group
NetworkGroup(s).
Network group(s)
you want to add
to the named
network
Network
Optional
No default; if not
specified, no network
group will be created
(equivalent to
deselecting auto
create network group
on the Add and Edit
Network screens).
NetworkGroup=[Char]+
If the network group
name does not exist, a
new network group
will be created by the
given name and the
named network added
to it
Multiple network
groups may be
specified by using a
semi-colon as the
delimiter or the sub
field delimiter
specified by import
parameters.
User
group
User-Group(s).
UserGroup=[Char]+
Name of user
group(s) that
already exists in
the system
The user group
specified will be
given access to
the named
network
Network
Optional
No default
Name of the user
group must already
exist
Multiple user groups
may be specified by
using a semi-colon as
the delimiter or the
sub field delimiter
specified by import
parameters.
Note: For Network import, the Network Properties and Time Windows fields are not
supported in the import file and therefore no data will be imported for them. For
Asset import, Mandatory Host Properties apply to all assets and thus there is no
need to specify this in the import file.
96
Assets and Networks
Data Matching
Networks will be matched based on network name and assets will be matched
based on Unique ID. All matching of import data to existing data and all matching of
data within the import file is case sensitive.
Note: Preventsys does not allow circular dependencies between networks. For
example, if Network A contains Network B, then Network B cannot contain Network
A.
Importing Using the Administrative Client
The following steps present how to import a file containing either asset or network
data into Preventsys using the Administrative Client.
¾
To import an asset data or network data file
1
Do one of the following:

To import an asset data file, select Admin > Assets, then click Asset
Import.

To import a network data file, select Admin > Networks, then click
Network Import.
97
Assets and Networks
The Import Asset or Import Network screen appears, respectively.
Figure 2: Import Asset screen
Figure 3: Import Network screen
2
In the File Format drop-down list, select the format of the file you want to
import.
3
In the Data File text box, enter the path/location of the file you want to import.
This can be a flat file or a zipped file.
Note: If you are importing a compressed file, only the .zip format is allowed;
other compression formats such as .tar, .gz, and .rar are not allowed. In
addition, there can be only one file within the zipped file and it must be in either
a CSV or XML format.
4
In the Operation drop-down list, select the type of operation you want to
perform with the file.
98
Assets and Networks
5
In the Delimeter1 text box, enter the character used in the file to separate
fields.
6
In the Delimeter2 text box, enter the character used in the file to separate sub
fields (multiple pieces of data within a single field). For example, to separate
multiple user groups.
Note: Delimiters can be any valid ASCII character. However, make sure the
Delimiter1 character you choose is not used within the values of file's field data.
If it is, make sure those fields are in quotes, so that the parser will not interpret
them as delimiters. Quotes cannot be used for sub fields, so choose Delimiter2
carefully to avoid import conflicts.
7
To import the file, click Submit. The Data Import Results screen appears.
Figure 4: Sample asset import with failures
Figure 5: Sample successful asset import
99
8
Assets and Networks
The Data Import Results screen displays a preview of the results of the import
should you choose to continue, including an errors or warnings. If you are okay
with the results, click Confirm to import the data. If you wish to make changes
before importing the file, click Cancel.
Importing with the Import Utility
To utilize the Preventsys Import Utility, you must first install Java, then install the
files supporting these functions. Note that these commands are supported for both
Windows (batch files) and Linux (shell-scripts).
¾
To install the import utility
1
Install Java JDK or JRE v1.4.x
2
Create a new System Environment Variable and name it JAVA_HOME
3
Modify your existing System Environment Variable PATH so that it includes
%JAVA_HOME%/bin
4
To verify that JAVA_HOME is set, run a new command window, then type set
JAVA_HOME
5
To verify that %JAVA_HOME%/bin is now in your PATH, type set PATH
6
Unzip preventsys_data_manipulation_v1.1.zip to any directory
7
Use the import_asset or import_network command as desired
Before using the Import Utility, the following arguments must be placed in the file
dataimport.conf in the same directory as the import_file utility.
The following list presents the property values of the dataimport.conf file:

# URL of the Preventsys web application

preventsys.webservice.host = <host or IP address>

preventsys.webservice.port = <8888>
# Preventsys login info

preventsys.login.username = <preventsys user name>

preventsys.login.password = <preventsys password>

truststore.filename = <full path to truststore>

truststore.password = <truststore password>
# Location of web services

preventsys.webservice.netimport.endpoint = https://<msserver>/ms/services/NetworkDataImportService

preventsys.webservice.assetimport.endpoint = https://<msserver>/ms/services/AssetDataImportService
# Bulk import timeout in second and 3600 is 1 hour

preventsys.webservice.timeout = 3600
100
Assets and Networks
Import Parameters
Use the following parameters when importing from the command line. Also see
Sample XML/Schema for Asset and Network Import (on page 355).
Parameter
Description
[--help]
Displays this message
-f, [--file]
File name to import (Required)
-t, [--file_type TYPE]
Import file type (csv, xml) Default: xml Default: csv (Required)
Zipped files are not allowed because the utility automatically
zips the file when sending it to the web service.
-d, [--csv_delimiter
DELIM]
Delimiter used if file type is CSV. DELIM can be up to 2
characters in length, where the first character is the primary
delimiter, and the second is the sub-delimiter. The default is
,;
-o, [-operation=OPER]
Defines the default operation for the data. OPER can be
either update, delete, or replace. The default is update.
-e, [--error_policy
POL]
Specifies how the tool should handle errors: fail, test, or
ignore. The default is fail.
Use the test method to preview the results of an import
before actually submission.
Use the ignore method to submit a file that contains errors
(for example, assigning a nonexistent User Group to a
network). However, records with errors will still be ignored
by the system.
Use the fail method to force the import to fail upon the first
error condition encountered.
The following is an example of an import_asset command.
import_asset -f asset.csv -t csv --csv_delimiter ”:|” -o update
The following is an example of an import_network command.
import_network -f network.csv -t csv --csv_delimiter ”:|” -o update
Importing ePO Asset and Network Data
Users who manage their networks with the McAfee ePolicy Orchestrator® (ePO) can
export their asset and network data into Preventsys using the Preventsys ePO
Extractor utility in conjunction with the Preventsys Asset and Network import
functionality. This chapter presents how to use the ePO Extractor to harness the
ePO database and provide Preventsys with authoritative, up-to-date information
about their assets and networks. Preventsys does not support the import of asset
information from LDAP.
101
Assets and Networks
Installing the ePO Extractor
The ePO Extractor is a Microsoft Windows-based console application. Therefore,
you must start a Windows command shell. Since the ePO Extractor connects
directly to the ePO database, it will be necessary to obtain the address and port of
the Microsoft SQL Server that contains the ePO database. It is also necessary to run
the ePO Extractor from a system capable of communicating with this Microsoft SQL
Server instance.
Next, obtain the name of the ePO database. This name varies for each installation,
so it is impossible to know ahead of time what the name is. In general, the database
will be named something similar to ePO_Name, where Name is the Windows name
for the system on which the ePO console was installed.
The ePO Extractor also requires an account with read access to the ePO Database,
so have your DB administrator create this account. The ePO Extractor supports
Windows Authentication as well as SQL Server Authentication accounts. For
security reasons, Preventsys recommends using Windows Authentication whenever
possible.
If Windows Authentication is selected, an ODBC Data Source Name must be created
on the ePO Extractor system. SQL Server Authentication accounts can also make
use of Data Source Names, but it is not a requirement.
Creating a Data Source Name
¾
To create a data source name
1
If the account created utilizes Windows Authentication, login to the ePO
Extractor system with the same username.
2
From the Control Panel menu, select Administrative Tools > Data Sources
(ODBC) to start the ODBC Data Source Administrator. This step can vary
depending on which versions of Windows the ePO Extractor was installed.
102
Assets and Networks
3
Select the User DSN tab, then click Add. The Create New Data Source screen
appears.
4
Select SQL Server, then click Finish. The Create a New Data Source to SQL
Server wizard appears and prompts you to define the data source.
5
Provide the following:

Name: Name of the data source

Description: Description of the data source

Server: IP Address or the name of the Microsoft SQL Server
103
Assets and Networks
6
Click Next. The wizard prompts you to specify authentication settings.
7
Select the authentication model used by your account (either Windows NT, or
SQL Server).
8
If you selected SQL Server authentication, select Connect to SQL server to
obtain default settings for the additional configuration options, then enter
the log on ID and password for the account.
9
Click Next. The wizard displays the Microsoft SQL Server DSN Configuration
screen.
10 Change the default database to the EPO database name. Remember, this
database name generally starts with ePO_.
104
Assets and Networks
11 Click Next, then click Finish. The ODBC Microsoft SQL Server Setup screen
appears.
12 Click Test Data Source. The SQL Server ODBC Data Source Test screen
appears.
13 If the data source test is successful, the message “Test Completed
Successfully” is displayed. Click OK to save the newly created User DSN. If the
test fails, an error message is displayed instead. Click Cancel and verify the
account credentials you entered.
105
Assets and Networks
Planning For Extraction
The ePO Extractor is a fairly flexible utility, but in order to provide that flexibility, it
has a large number of options available. Depending on the complexity of a network's
topology, the ePO Extractor may have to be run several times in order to extract all
desired data. To use the ePO Extractor optimally, it is recommended that a plan be
formulated to determine which ePO Extractor options to use.
First one must determine what data to extract. At the highest level, there are three
options: extract assets, extract networks, or extract both assets and networks.
Assets
When you import assets, one or more ranges of hosts are extracted from the ePO
database and output in the Preventsys bulk import format. However, each time the
ePO Extractor is run, there are five parameters that apply to every asset extracted:
Network Type, Error Policy, Default Operation, Operational Impact, and Financial
Impact.
While Default Operation and Error Policy are unlikely to vary from asset to asset,
Network Type, Financial Impact, and Operational Impact usually will. Therefore,
assets will need to be broken into groups of static and dynamic, and if Preventsys is
being used to track the value of assets at risk, those groups will need to be further
broken into IP ranges of hosts with identical value.
For example, assume you have two subnets with a total of 12 assets. Three of
those assets (10.1.2.1, 10.1.2.2, 10.1.2.3) are high-priced servers with static IPs that
run mission critical applications. Therefore, the financial and operation impact of
these assets is relatively high. The other nine assets are on a subnet (10.1.1.0/24)
and they all use DHCP to assign their IP address dynamically.
In this case, there would be two groupings: the static, high-priced servers in the
range 10.1.2.1-10.1.2.3, and the dynamic, low-priced servers in the 10.1.1.0/24
range. Therefore, these assets would have to be extracted in two passes; one for
each grouping.
Networks
Importing networks is more complex than importing assets. In addition to the five
parameters that are applied to every asset, there are two other parameters that are
applied to every extracted network each time the ePO Extractor runs. One such
parameter is Network Group Name, which controls whether the ePO Extractor
generates an algorithmically named network group for each network extracted, or
whether it creates on network group with the specified name.
The other parameter is User Group, which grants access to the extracted networks
to one or more specified user groups. Therefore, network extraction has the
potential to be more complex because of the combinations of options that might
result from having varied network groupings, user group access, network types,
ranges, and so on.
106
Assets and Networks
Data Selection
ePO has two sets of tables that store asset and network data: Managed and Rogue.
Selecting the incorrect set of tables can result in little or no data exported, so it is
vital that the differences between the tables be understood. The Managed tables
represent the assets that have the ePO agent installed, and are managed by the ePO
console. The Rogue tables represent the assets located using the Rogue System
Detection agent. Each of these tables has advantages and disadvantages.
About Managed Tables
The Managed tables' primary benefit is data accuracy. The ePO agent installed on
each of the assets in these tables ensures that all data returned is correct as of the
last time the asset's agent was polled. Therefore, this allows Preventsys to mark the
data returned from the Managed tables as authoritative. This ensures that no other
scan data can alter the information about each asset returned from these tables.
There are, however, two disadvantages to using these tables. First of all, only assets
with the ePO agent installed will appear in these tables. Since the ePO agent is not
available for every possible Operating System, there may be assets that will never be
stored in these tables.
The other disadvantage is related to assets with multiple network interfaces. The
Managed tables only contain information on the first/primary network interface for
each asset. However, Preventsys treats each network interface as a distinct asset.
Therefore, anytime the Managed tables are used to export assets with multiple
interfaces, assets will be missing.
This limitation also has the potential to affect the network data. The ePO Extractor
uses the network and subnet mask data from each asset's network interface data to
locate networks. However, if a particular network does not have any primary
interfaces, no information about that network will be in the Managed tables, and will
therefore not show up in the network data exported by the ePO Extractor.
About Rogue Tables
The Rogue tables' primary benefit is data completeness. When the Rogue System
Detection agents locate an asset or network, it is always installed in the Rogue
tables. Therefore, these tables have the potential to contain information on every
network interface on an enterprise's network.
Unfortunately, there are two disadvantages to these tables. First of all, in order for
an asset's network interface to be detected, a Rogue System Detection agent must
be installed on the same subnet. Therefore, if an asset contains four network
interfaces on different subnets, a minimum of four Rogue System Detection agents
would be required to locate all network interfaces.
107
Assets and Networks
The other disadvantage is that the Rogue System Detection agents are not installed
on the agents. Therefore, they cannot directly query for the information the ePO
agents are able to obtain. This results in some data that is not authoritative, and
therefore cannot be returned in the asset data. This also causes the network data to
be less than perfect, so sometimes, the Rogue System Detection agents return
subnet masks that are bigger or smaller than the actual subnet mask.
The ePO Extractor has two options, min-size and max-size, that help ignore invalid
network records, but those options will not work 100% of the time. Therefore, if the
Rogue tables are used as a source for network data, the results should be reviewed
before importing the data into Preventsys.
Automatic Filtering
For various reasons, duplicate assets can sometimes make their way into ePO. The
ePO Extractor will attempt to filter these out based on the IP address or MAC
address of the asset. For example, if an asset is located on a static network, any
assets with the same IP address will be filtered out of the export file.
Similarly, assets on dynamic networks will be filtered out if their MAC address
matches the MAC address of another asset. In cases such as these where
conflicting assets exist, the ePO Extractor automatically selects the asset that has
been polled by the ePO console most recently.
Additionally, some network software, such as VPN clients, creates a virtual network
interface with a distinctive, non-unique MAC address. Since Preventsys uses an
asset's MAC address to identify assets uniquely on dynamic networks, this type of
software is potentially problematic because any asset with the software running will
report its primary network interface's MAC address to be some static value. To deal
with this situation, the ePO Extractor attempts to identify and ignore such assets.
ePO Extractor Options
Once the specific assets and records have been chosen, and their source selected,
all that remains is to configure the ePO Extractor so that it will filter out unwanted
records, and will export the assets and networks with the desired options. This
configuration is done by specifying various parameters on the command line.
These parameters take two forms - single letters and words. All single letter options
are prefixed by a single dash, while all word options are prefixed by two dashes.
Note that some options have both single letter and word options. These options are
always equivalent, and the single letter version is simply provided for simplicity.
Parameter
Argument
Description
-n or
--dsn
A User or System DSN
This parameter configures the ePO
Extractor to use the specified DSN when
connecting to the ePO database..
Depending on the configuration of the
specified DSN, additional credentials and
parameters may be necessary to connect
to the ePO database successfully.
108
Assets and Networks
Parameter
Argument
Description
-u or
--username
The SQL Server
username
This parameter configures the username
of the account that will be used to
connect to the ePO database. This
parameter is optional when a DSN is
specified.
-p or
--password
The SQL Server
password
This parameter configures the password
of the account that will be used to
connect to the ePO database. This
specified.
-H or
--host
The IP address or
hostname of the SQL
Server
This parameter configures the hostname
or IP address of the SQL Server
containing the ePO database. This
specified.
-P or
--port
The numerical TCP/IP
port of the SQL Server
This parameter configures the port of the
SQL Server containing the ePO database.
The default value of this parameter is
1433.
-D or
--dbname
The name of the ePO
Database
This parameter configures the name of
the ePO database to which the ePO
Extractor will connect. This parameter is
optional when a DSN that sets the default
database is specified.
-A or
A pathname
This parameter tells the ePO Extractor to
export asset data, and to save it in the
filename whose path was specified on
the command line.
A pathname
This parameter tells the ePO Extractor to
export network data, and to save it in the
filename whose path was specified on
the command line.
None
Extractor to use the Rogue tables when
extracting assets. Note that the -A / -assets parameter must still be specified
in order for assets to actually be
extracted. By default, the ePO Extractor
will extract its asset data from the
Managed tables.
--assets
-N or
--networks
--roguehosts
109
Assets and Networks
Parameter
Argument
Description
--roguenets
None
Extractor to use the Rogue tables when
extracting networks. Note that the -N / -networks parameter must still be
specified in order for networks to actually
be extracted. By default, the ePO
Extractor will extract its network data
from the Managed tables.
-r or
A single range of IP
addresses
This parameter sets the addresses of the
assets and networks to be extracted. An
asset will be extracted if its IP address
falls within the range(s) specified on the
command line, and it doesn't fall within
any of the exclusion ranges specified on
the command line (see the -x / --exclude
parameter). A network will be extracted if
any of the network's IPs intersect with
any of the specified ranges, as long as
none of the network's IPs intersect with
any of the specified exclusion ranges.
--range
This parameter can be specified multiple
times on the command line. If no ranges
are specified on the command line, ePO
Extractor will extract every asset and
network.
The range can be specified in one of four
formats:
Single IP (for example: 10.1.2.3)
IP Range (for example: 10.1.2.3-10.1.2.50)
Netmask (for example:
10.1.2.0:255.255.255.0)
CIDR Mask (for example: 10.1.2.0/24)
-x or
--exclude
A single range of IP
addresses
This parameter works exactly like the -r / -range parameter, except that it
configures ranges of IPs that will NOT be
extracted. Any asset whose IP is
contained in one of the exclusion ranges
will not be extracted, and any network
whose IPs intersect an exclusion range
will not be extracted.
This parameter can be specified multiple
times. By default, there is no exclusion
range set.
110
Assets and Networks
Parameter
Argument
Description
-t or
The letter 'S' or 'D'
This parameter configures whether the
assets and/or networks being extracted
are on a static (S) or dynamic (D) network.
This parameter defaults to static (S).
A monetary value
without the currency
mark.
This parameter sets the financial impact
of an asset and/or network. It should be
specified as a monetary value, but
without the currency mark. For example,
$4030.44 would be specified as 4030.44
--nettype
--finimpact
1500.00
--opimpact
A monetary value
without the currency
mark.
This parameter sets the operational
impact of an asset and/or network. It
should be specified as a monetary value,
but without the currency mark. For
example, $4030.44 would be specified as
4030.44
750.00
--minsize
A number or a CIDR
mask
This parameter sets the minimum size of
a network that the ePO Extractor will
return. Its argument can be in two
different formats - either a number (for
example: 32), or a CIDR mask (for
example: /27). This parameter is
especially useful when using the Rogue
tables for network extraction.
For example, if an enterprise network's
subnets are never smaller than 256 hosts,
--minsize 256 or --minsize /24 would
ensure than no subnet smaller than 256
hosts would be extracted.
The default value of this parameter is /31,
or 2 hosts.
--maxsize
A number or a CIDR
mask
This parameter works the same as the -minsize parameter, except that this
parameter sets the maximum size of a
subnet that can be extracted by the ePO
Extractor.
The default value of this parameter is /1,
or 2,147,483,648 hosts.
111
Assets and Networks
Parameter
Argument
Description
--usergroup
A Preventsys user
group name
This parameter grants access to a single
Preventsys user group for each of the
networks being extracted. To grant
access to multiple user groups, this
parameter can be specified multiple
times. If the group name contains
spaces, it must be specified in quotes.
By default, the ePO Extractor will not
grant access to any user groups.
--netgroup
A name for the network This parameter configures the ePO
group, 128 characters
Extractor to add each of the extracted
maximum.
networks into a network group named
after the argument to this parameter.
Note that there is a Preventsys
requirement that the networks in a
network group never overlap-- if any of
the networks do overlap, the extraction
will fail. To deal with this, use the
Combine Networks option.
By default, the ePO Extractor will extract
each network into its own network group,
thus avoiding the overlapping network
issue altogether.
--netprefix
A prefix that will be
applied to each network
group's name, 19
characters maximum.
112
This parameter sets a prefix that will be
added to the beginning of each network
group's name. This can be used to
prevent networks extracted from different
sources from having the same name.
Parameter
Assets and Networks
Argument
Description
--createnets
As discussed previously, each asset must
belong to at least one network to be
importable. This parameter is used in the
cases when a user-defined range filter (-exclude range), or the network size filter (-minsize / --maxsize parameters) creates a
situation in which an asset is extracted
without a corresponding network. This
option will create a network of the
specified size for each asset that gets
extracted without having a corresponding
network. This option is only available
when extracting both assets and
networks at the same time.
For example, assume a network has two
assets: 10.4.5.1 with a netmask of
255.255.255.0, and 10.4.6.1, with a
netmask of 255.255.0.0. You specified
that the maximum network size is 256 (-maxsize 256). When networks and
assets are extracted, both of the assets
would be extracted, but only one network
(10.4.5.0/24) would be extracted. The
10.4.0.0/16 network would not be
extracted due to the --maxsize parameter
(a netmask of 255.255.0.0 implies a
subnet of 65,536 assets). Thus, the asset
with the IP address 10.4.6.1 will not have
a corresponding network, unless that
subnet had already been added to
Preventsys manually, or via a prior import.
This will cause a warning to be displayed
by the ePO Extractor, and will prevent the
asset from being imported.
If this scenario were re-run with the -createnets /24 parameter added to the
command line, the network 10.4.6.0/24
would be added automatically. If you
specified --createnets /28, the 10.4.6.0/28
network would be created.
--combinenets
None
Extractor to combine all networks in a
network group into a minimal set of nonoverlapping ranges. This parameter is
only usable (or useful) with the --netgroup
parameter.
113
Assets and Networks
Parameter
Argument
Description
--errorpolicy
The letter F, I or T
This parameter sets the import error
policy (see Import Parameters (on page
101)). The argument to this parameter
can be either F (for fail), I (for ignore), or T
(for test). By default, the error policy is
set to fail (F).
--defoperation
The letter U, R or D
This parameter sets the import operation
(see Data Creation and Modification (on
page 92)). The argument to this
parameter can be U (for update), R (for
replace), or D (for delete). By default, the
operation is set to update (U).
-v or
A number 0-4
This parameter configures how much
output ePO Extractor prints to the
console during its operation. By default,
the verbosity is set to one, which displays
a percentage complete indicator, and
outputs any warnings or errors
encountered. A verbosity of 0 will not
output anything until the export is
complete. A verbosity of 4 will output an
enormous amount of information,
including information on each asset
and/or network read, whether they were
filtered out for some reason, and why.
None
Displays an overview of all available
command line parameters, along with a
brief explanation of each parameter and
their default values.
--verbosity
-? Or
--help
Running the ePO Extractor
This section provides steps for running the ePO Extractor. You should have the ePO
Extractor installed before proceeding (see Installing the ePO Extractor (on page 102)).
¾
To run the ePO Extractor
1
From the Windows desktop, select Start, then select Run. The Run window
appears.
114
Assets and Networks
2
In the Open field, enter cmd, then click OK.
3
At the command line prompt, enter cd “C:\Program Files\ePO
Extractor”, then press Enter.
See ePO Extractor Usage Scenarios (on page 115) for examples about how to use
the ePO extractor.
ePO Extractor Usage Scenarios
The following two scenarios present ways in which asset and network data can be
imported into Preventsys from ePO.
Scenario A
Assume you have 3 subnets managed by ePO, and you want to export their asset
and network information into Preventsys. You also want to be able to scan each
network independently of the others.

Subnet 10.4.0.0/16 contains user desktops which are configured by DHCP, each
with an average financial impact of $1,000.00 and average operational impact of
$500.00.

Subnet 10.5.0.0/24 contains servers which are configured with static IPs, each
with an average financial impact of $7,500 and average operation impact of
$15,000.

Subnet 10.5.1.0/24 contains user desktops which are configured by DHCP, each
with an average financial impact of $1,000.00 and average operational impact of
$500.00
The rest of the subnet space is unused.
The SQL Server administrator has configured a User DSN named EPOUSER that
contains the proper credentials to login to the ePO database, and the proper
database, called ePO_COMPANY has been configured as the default database in the
DSN configuration.
The first ePO Extractor command line will extract the user desktop assets and
networks.
115
Assets and Networks
ePO_Extractor.exe
--dsn EPOUSER -t D -r 10.4.0.0/16 -r 10.5.1.0/24
-x 10.5.0.0/24
-A user_assets.xml -N user_networks.xml
--netprefix “User Networks” --finimpact 1000.00
--opimpact 500.00
The second ePO Extractor command line will extract the remaining server subnet.
ePO_Extractor.exe
--dsn EPOUSER -t S -x 10.4.0.0/16 -x 10.5.1.0/24
-r 10.5.0.0/24 -A server_assets.xml -N server_networks.xml
--netprefix “Server Networks” --finimpact 7500.00
--opimpact 15000.00
Because every asset must belong to a network, the network XML files would be
imported first, followed by the asset XML files.
Scenario B
You have over one hundred dynamic subnets that are public. For this reason, you
have deployed a Rogue System Detection agent on these subnets. You also have
some number of subnets with servers with static IPs, and all have ePO agents
installed. You would like the user groups Scanner Group A and Scanner Group B to
have access to all networks, and you would like the dynamic subnets to be placed in
the network group Visitor Subnets, so that you can scan the entire visitor range at
once. You do not care about the assets in the visitor subnets, but you do want to
extract the assets in the server subnet. You also do not care about tracking these
assets from a financial perspective.

Visitor Subnets: Over 100 non-contiguous ranges of 192.168.1.0 to
192.168.50.255, various subnet sizes between 8 and 64 hosts each.

Server Subnet: 192.168.60.0-192.168.90.255, unknown subnet sizes, Static
The first ePO Extractor command line will extract the visitor subnet networks.
ePO_Extractor.exe
--dsn EPOUSER -t D -r 192.168.1.0-192.168.50.255
-N visitor_nets.xml --roguenets --netgroup “Visitor Subnets”
--combinenets --usergroup “Scanner Group A”
--usergroup “Scanner Group B” --minsize 8 -maxsize 64
Note that the --minsize / --maxsize might not have been necessary, but the rogue
network detection algorithms are not perfect, so sometimes they detect subnet
masks as being bigger than they actually are. The exclusion range was specified,
just in case
The second ePO Extractor command line will extract the server subnet's assets and
networks.
ePO_Extractor.exe
--dsn EPOUSER -t S -r 192.168.60.0192.168.90.255
-A server_assets.xml -N server_networks.xml
--usergroup “Scanner Group A” --usergroup “Scanner Group B”
Once the networks and assets have been extracted, the two networks files will be
imported, followed by the server assets.
116
Chapter 7
Policies and Rules
The Preventsys Policy Library is a collection of packaged regulations, policies, and
configuration standards designed to make configuration and customization for your
environment as easy and fast as possible. The library includes policies and rules
based on the requirements of industry organizations, Federal and State governments,
and regulatory agencies governing financial services, healthcare, manufacturing, and
other industries. All these can be customized to the specific practices, specifications
and requirements of your organization, and linked directly to original paper-based
policies through PolicyLab. See the McAfee PolicyLab Product Guide for details.
The Proactive Compliance Module provides you with ready-made policy content,
rules, and mappings for both configuration standards and regulatory policies. Based
on frameworks like COBIT and ISO 17799, Preventsys has created hundreds of
predefined rules to measure an organization's compliance with government,
regulatory policies and security standards and guidelines. These templates are ready
to use out-of-the-box and enable you to automate the time consuming task of
compliance reporting against your internal and external security policies.
Useful Terms

PDL Rule: A Policy Definition Language (PDL) rule identifies specific policy
violations and vulnerabilities via analysis. Rules are defined using XSL
templates.

Policy: A Policy is a combination of one or more PDL rules. PDL rules can also
be combined to create custom policies tailored to your corporate security policy.
Configuring Your System for Policy Analysis
Before Preventsys can analyze the results of an assessment against a security policy,
you must first set up your PDL rules and policies and all associated properties, and
update your Policy Library by importing the current set of policies and rules supplied
with Preventsys.
117
Policies and Rules
Note: If you do not want to analyze your networks against policies, you must still
make sure that the Preventsys Default Vulnerability Policy is available and selected
for each Assessment Configuration that you want to return any found vulnerabilities.
If you do not select this policy, Preventsys will not create vulnerabilities, conduct
threat correlation, or create remediation tasks, and you will not be able to view
reports based on the assessment results. In this case, you can conduct a reanalysis
using the Preventsys Default Vulnerability Policy and the results of your assessment,
which will perform the analysis the same as if the policy been selected before the
assessment ran.
Initial Rule Setup
When Preventsys' standard PDL rules are first installed, they will require some
modifications to ensure that your assets and networks are specified for property
fragments.
¾
To ensure assets and networks are specified for property
fragments
1
Perform an assessment of your networks, which will populate the asset and
network tables.
2
Assign the standard host property specifications to the various assets on your
system as desired. See Managing Assets (on page 65) for details.
3
Assign the standard network properties to the various networks on your system
as desired. See Managing Networks (on page 81) for details.
4
Generate or regenerate those properties listed in the Properties Used in Rules
table using PolicyLab. See the McAfee PolicyLab Product Guide for details.
Some rules provide instructions about which property fragments should be added
and where in the rule text they should be placed. Other rules already have shells of
host properties in them. First, generate a fragment corresponding to the shell that
you see in the rule. Then replace the shell with the generated fragment. The new
property fragments will have an updated list of assets.
Managing PDL Rules
Host properties and network properties are referenced within PDL rules to denote
conditions that signify policy violations upon analysis. Preventsys ships with
standard PDL rules configured to detect policy violations based on assessment
results as applied to specific host properties and network properties. In this manner,
you can customize the assessment process without developing XSL for new PDL
rules.
A number of standard PDL rules are included with Preventsys. Using the PolicyLab
Client, you can create policies using these rules, or develop custom PDL rules to
address specific concerns. See the McAfee PolicyLab Product Guide for details.
You can also view Preventsys policies and rules as well as polices and rules that you
have created or modified in the PolicyLab application.
118
Policies and Rules
All PDL rules are assigned a description, rule type, severity, and XSL text.
The PDL rule type identifies whether the rule detects a policy violation or
vulnerability. There are five basic rule types:

Violation of Network Policy

Information

Host Compromised

Exploitable Vulnerability

Custom Vulnerability

Exposure Analysis

Manual Audit Task
Note: To view a mapping of the scanners, common scanner tests, properties,
characteristics, and rule types associated with each rule, see the McAfee Preventsys
Risk Analyzer and Compliance Auditor Policy Reference Guide.
PDL rules are stored by version. Editing an existing PDL rule via the PolicyLab
application will result in the creation of a new version of the PDL rule.
The list of PDL rules displays current versions by default, but you can view all
versions using the View All Versions of PDL Rules function.
All rule administration is conducted from the PDL Rule Management screen.
¾
To access the PDL Rules Management screen

From the Preventsys menu, select Policies > Rules. The PDL Rule
119
Policies and Rules

The current version of each PDL rule is displayed by default. To view all
previous versions as well, click Show all Versions.

To view the xml for a rule, click View.
Deactivating a PDL Rule
Use the Deactivate function to deactivate PDL rules.
¾
To deactivate a rule
1
From the Preventsys menu, select Policies > Rules. The PDL Rule
2
Click Deactivate for the rule you want deactivated. A confirmation pop-up box
appears.
3
Click OK to deactivate the rule.
Managing Policies
Policies are created through the grouping of PDL rules. All policies are assigned a
name, a description, a category, and a selection of PDL rules. See the McAfee
Preventsys Risk Analyzer and Compliance Auditor Policy Reference Guide for a
detailed list of the policy packages and rules available from Preventsys
You can view policy source documents, view details about a policy such as a list of
associated rules, delete policies, and import/export policies. In order to create or edit
policies, the stand-alone Preventsys PolicyLab application must be used. See the
McAfee PolicyLab Product Guide for details about creating and editing policies.
Policies are stored by version. Editing an existing policy via the PolicyLab application
will result in the creation of a new version of the policy.
The policy list displays current versions by default, but you can view all versions
using the View All Versions of Policies function.
All Policy administration is conducted from the Policy Management screen.
120
Policies and Rules
¾
To access the Policy Management screen

From the Preventsys menu, select Policies > Policies. The Policy Management
screen appears.

The current version of each policy is displayed by default. To view all
previous versions as well, click Show all Versions.

The first policy module listed is displayed by default. To view a different set
of policies, select the type of policy you want to view from the Policy
Module dropdown list and click >>.
Viewing Policy Details
Use the View function to view details about a policy.
¾
To view details about a policy
1
screen appears
121
2
Policies and Rules
Click View for the policy you want. The View Policy screen appears, which lists
all rules associated with the policy.
Viewing Policy Source Documents
Use the View Source function to view the actual source document for a policy.
¾
To view a policy's source document
1
screen appears.
2
Click View Source for the policy you want to view. The policy's source
document appears in a new browser window.
3
Close the new window when finished.
122
Policies and Rules
Note: Some policies (for example, the Basel Policy) will display a legal
disclaimer in a separate window when selected.
Deactivating a Policy
Use the Deactivate Policy function to deactivate policies. Polices that are
deactivated will no longer be displayed in Preventsys. The deactivated policy will
also be removed from any assessment configurations in which it was referenced.
The policy will need to be imported again to be displayed.
¾
To deactivate a policy
1
screen appears.
2
Click Deactivate for the policy you want deactivated. A confirmation pop-up box
appears.
3
Click OK to deactivate the policy.
Importing and Exporting Custom Policies
You can import policies you have access to via your local machine using the Import
Policy function on the Policy Management screen. You can also save policies in
Preventsys to local media using the Export function on the same screen.
If any rules in the imported policy contain properties such as Host Property
Specifications, Host Property Labels, and Network Properties, you will need to
manually recreate all associated properties and services, manually assign them to
assets and networks on your system, and then recreate the fragments associated
with the imported rules.
123
Policies and Rules
For example, the E-Commerce_Servers_on_DMZ rule utilizes the standard network
property DMZ. After importing a new policy that includes this rule, you must ensure
that the DMZ network property is applied to all appropriate networks in order for the
imported policy to function properly.
Importing a Policy
Use the Import Policy function to import policies that are accessible from a local
media.
¾
To import a new a policy
1
screen appears.
2
Click Import Policy. The Import Policy screen appears.
3
Enter the name of the File to import, or click Browse to locate the file in the file
library.
4
Enter a suffix for the policy filename in the Global Suffix field.
5
Click Submit to import the selected policy.
6
If the imported policy's name conflicts with an existing policy, the Import Policy
Conflict screen appears.
7
You can modify the policy filename and all included rule filenames to resolve
conflicts.
8
Click Submit to save the modified filenames.
124
Policies and Rules
Exporting a Policy
Use the Export Policy function to export policies to local media.
¾
To export a policy to an external file
1
screen appears.
2
Click Export for the policy you want to export. A separate browser window
appears displaying the signed XML text of the selected policy.
3
Use the browser's Save As function to select a destination for the exported
policy data.
4
The file is saved to the destination you specified.
Updating the Policy Library
Updates to the Preventsys Policy Library can include the addition of new polices and
rules as well as updates to existing policies and rules. Updates to existing policies
and rules will cause the versions of those policies and rules to change. In this case,
you must manually reapply any changes to the newly imported policy or rule. These
changes include regenerating all property fragments for any property-based rule as
well as adding other custom changes. Likewise, changes to a rule require updating
each policy that uses that rule. It is important to understand that your modified rule
or policy may no longer be the current rule or policy in Preventsys. However, the old
rule will not be deleted.
Importing an updated Policy Library also creates new properties in Preventsys. Like
any new property, user specific network and asset information needs to be added to
the properties prior to their usage. Likewise, any rule that references these
properties will need to be updated after the properties have been changed.
See Policy Library Module Installation (on page 362) for details about installing or
upgrading policy content in the Threat Policy or the Regulatory Policy modules.
Note: The import process may take a few minutes to complete. Never use your
browser's Back, Stop, or Refresh buttons on any of the update or rollback
pages. As a safeguard, it is recommended that you log out of the product, or close
your browser after the update or rollback process has finished and the confirmation
screen appears. Then, log back in as you normally would.
¾
To update the policy library
1
From the Preventsys menu, select Policies > Import Preventsys Policy. The
Import Preventsys Policies screen appears and displays the policy libraries
currently installed as well as all available updates.
125
Policies and Rules
Note that when you first install Preventsys, there are no pre-installed policy
libraries.
2
Click Load Available Libraries to install all of the available policy updates listed.
All potential conflicts between the policy updates and existing resources are
then displayed. For example, services with the same name. If requested, you
must correct these conflicts before you can continue.
Figure 6: Example of an import with conflicts
126
Policies and Rules
3
Click Next to import the policies.
4
All new policies, rules, properties, and services are imported.
5
Click Done to return to the Dashboard or Rollback to undo your updates. Note
that this will be your "only" opportunity to rollback the updates you just made.
¾
To rollback updates to the policy library
1
Immediately after an update and before navigating to any other screens, click
Rollback, then click Continue.
Note: You can only rollback to the latest, previous version of the Policy Library
immediately after an update.
2
The updates applied during the import you just completed will be removed.
127
Chapter 8
Assessments and Connectors
Preventsys allows you obtain assessment data (results from assessments) by
conducting assessments directly from within Preventsys using assessment tools for
which Preventsys has created a command and control interface (see Supported
Command and Control Connectors page 130) or by import assessment data captured
externally. See Importing External Assessment Data (on page 151).
Useful Terms

Connector Configuration: A connector configuration is a set of parameters
that controls the behavior of a particular assessment tool supported by the
Preventsys Assessment Server during an assessment. A popular parameter
defined in a connector configuration is the set of tests and checks to run during
an assessment. Unlike an Instance Configuration, a Connector Configuration
can be applied to any defined instance of the same assessment tool. For
example, if the same assessment tool was installed in three different locations,
a single Connector Configuration can be applied to each of these installations.

Assessment Configuration: An Assessment Configuration is a set of
parameters that controls which assessment tools and connector configurations
are used for the assessment, the networks that will be assessed, the assets (if
any) that will be excluded, the polices that will be analyzed against the results of
the assessment, and whether threat alerts will be analyzed against the results of
the assessment.

Assessment Schedule: An Assessment Schedule specifies when the
assessment will run and how often. Assessments can be schedule to run once
immediately, once on a specific day and time, or recurrently.

Vulnerability: A vulnerability is a weakness in a system allowing an attacker to
potentially violate the integrity, confidentiality, access control, availability,
consistency or audit mechanism of the system or the data and applications it
hosts. Vulnerabilities can result from bugs or design flaws in the system. A
vulnerability might exist only in theory, or might have a known exploit. During an
assessment, Preventsys identifies vulnerabilities based on the results of the
scanner-specific tests/checks that are run. If you have the Preventsys Threat
Intelligence feature, then external threats that exploit the vulnerabilities found
are correlated and turned into actionable threats. See Configuring the Threat
Feed Manager Proxy (on page 26) for details.

Vulnerability Coalescing: The Preventsys RiskScore engine coalesces security
facts from your assessment tools to automatically aggregate, transform, classify,
and correlate vulnerability and configuration data into a prioritized remediation
task list. For example, Nessus and Nmap will often report the same vulnerability
for the same asset in different ways for the same or multiple ports. Preventsys
coalesces all these issues into one remediation task with multiple descriptions.
See Vulnerability and Violation Coalescing (on page 148) for details.
128

Violation: A violation is the breach of a Preventsys PDL rule that was part of a
policy analyzed against the results of an assessment during the Policy Analysis
phase. A violation means that the conditions of the rule in a security policy were
not met. For example, a Certificate_Expiration rule checks to make sure no
expired certificates are in use based on assessment data gathered from any of
the many assessment tools supported by Preventsys. If expired certificates are
in use, this may not be a considered a vulnerability, but it would be a violation of
this rule. See Vulnerability and Violation Coalescing (on page 148) for details.
Another type of violation is a Manual Audit Task violation. A Manual Audit Task
can be associated with a Manual Audit Task rule, which can check whether the
Manual Audit Task meets certain criteria (for example, integrity checks). If the
Manual Audit Task does not meet these criteria, then the rule can cause a
violation. See Understanding Manual Audit Task Rules and Policy Violations (on
page 213) for details. Also, see the McAfee PolicyLab Product Guide for details
about creating Manual Audit Task rules.

Assessment Import: Use the Assessment Import function to import
assessment data that was gathered outside Preventsys. See Importing External
Assessment Data (on page 151) for details.

Reanalysis: A Reanalysis is when you choose to analyze the results of a
successful assessment against another policy (or policies) regardless of whether
the initial assessment included a policy. See Re-Analyzing Assessment Results

Remediation Task: A remediation task is created based on either a vulnerability
or a violation found by Preventsys. This task can be assigned to a user, so that it
can be fixed, and then verified by Preventsys. Remember that Remediation
Tasks are different from Manual Audit Tasks. However, a Manual Audit Task
Violation can cause an associated Remediation Task to be created (referred to as
a Manual Audit Violation Type Remediation Task). A Manual Audit Task Violation
is always associated with the first assessment that finds it even if it is found by
multiple assessments. Therefore, you will need to run an assessment using the
assessment configuration associated with the assessment that found the
violations, to verify the Manual Audit Violation Type Remediation Tasks. See
About the Remediation Lifecycle and Workflows (on page 165) for details.
The Basics
Before you can conduct assessments, you must do the following:
1
Add at least one Assessment Server and one associated Instance Configuration
(see Assessment Servers (on page 30) for details).
2
Add at least one network and associated network group (see Assets and
Networks (on page 65) for details).
3
Add a connector configuration for the type of connector desired (see Managing
Connector Configurations (on page 130) for details).
4
Add an assessment configuration that includes the connector configuration and
network group you created (see Managing Assessment Configurations (on page
133) for details).
5
Schedule your assessment (see Managing Assessment Schedules (on page 137)
for details).
129
Supported Command and Control Connectors
The following assessment tools are supported by the Preventsys command and
control interface, which allows you to conduct assessments with these tools directly
from within Preventsys.
You can also add support for third-party assessment tools by using Preventsys' thirdparty connector API. Contact McAfee Support for details.

AppDetective

FoundScan

ISS Internet Scanner

ISS SiteProtector

MBSA

Nessus

Nmap

Network Architect Assessor

QualysGuard

Retina

ScanAlert

WinReg
Managing Connector Configurations
Before you can create an assessment configuration and conduct an assessment, you
must create a connector configuration for the connector types you want the
assessment to use. A wide range of scanner options and configuration settings are
available for the connectors supported by Preventsys. See Connector Configurations
(on page 313) for details about specific connector options.
All connector configuration administration is conducted from the Connector
Configuration Management screen.
130
¾
To access the Connector Configuration Management screen

From the Preventsys menu, select Assessments > Connector
Configurations. The Connector Configuration Management screen
appears.
The Connector Management Screen displays your existing connector configurations.
From this screen, you can add new configurations as well as edit and delete
configurations.
Note: If the connector instance associated with a connector configuration is
unavailable, the Edit function for that configuration is disabled and a warning
message is displayed. This can happen if the Management Server cannot connect to
the Assessment Server or if the connector's instance configuration has incorrect
information such as an invalid IP or username. See Assessment Servers (on page
30) for details about instance configurations.
Adding a Connector Configuration
Use the Add Connector Configuration function to add new connector configurations.
131
¾
To add a new connector configuration
1
From the Preventsys menu, select Assessments > Connector Configurations,
then select the Add New Configuration tab to display a list of available
connector types.
Note: Only the connectors for which you have added an instance configuration
on a running Assessment Server are listed. Therefore, if the Management
Server cannot connect to your Assessment Server for any reason, the instance
configurations on that server will not be listed.
2
Select the desired connector type, then select ». The connector's configuration
screen appears.
3
Enter a name for the connector configuration in the Connector Configuration
Name text box. Note that a connector configuration's name cannot be changed
once submitted.
4
Enter all required information and any optional information desired.
5
Editing a Connector Configuration
Use the Edit Connector Configuration function to modify existing connector
configurations.
When you access the Edit Connector Configuration screen, Preventsys reviews the
configuration options for the associated connector against the options on each
Assessment Server. If the options do not match (for example, you have updated the
connector since this connector configuration was added), Preventsys will display all
options that were present when the connector configuration was created as well as
any new options with their associated default settings.
132
¾
To edit an existing connector configuration
1
then click Edit for the connector configuration you want to modify. The Edit
Connector Configuration screen appears.
Note: If the connector instance associated with a connector configuration is
unavailable, the Edit function for that configuration is disabled and a warning
message is displayed. This can happen if the Management Server cannot
connect to the Assessment Server or if the connector's instance configuration
has incorrect information such as an invalid IP or username. See Assessment
Servers (on page 30) for details about instance configurations.
2
Edit the connector's configuration as desired. Note that a connector
configuration's name cannot be modified.
3
Deleting a Connector Configuration
Use the Delete Connector Configuration function to remove connector
configurations.
¾
To delete a connector configuration
1
then click Delete for the connector configuration you want removed. A
confirmation pop-up box appears.
2
Click OK to delete the connector configuration.
Managing Assessment Configurations
Assessment configurations represent specific schemes for performing network
security assessments. Each assessment configuration includes a unique name, a list
of network groups selected for the assessment, an optional list of policies against
which the assessment will be analyzed, a selection of connector configurations that
will perform the assessment, and any exclusion lists you specify.
All assessment configuration administration is conducted from the Assessment
Configuration Management screen.
133
¾
To access the Assessment Configuration Management screen

From the Preventsys menu, select Assessments > Assessment
Configurations. The Assessment Configuration Management screen
appears.
Note: If you are a member of the Super User group, then all assessment
configurations are displayed. Otherwise, only assessment configurations associated
with network groups made up completely of networks that are within the range of
the network permissions of the groups to which you belong are displayed.
Adding an Assessment Configuration
Preventsys recommends that assessment configurations be used as a mechanism to
group reporting so that the network groups and policies define a logical reporting
structure like Line of Business (LOB) or organizational unit. It is not recommended
that several assessment configurations contain exactly the same network groups and
policies and differ only in the connector configurations used. This can lead to
confusing results during enterprise group summary reporting because only the latest
analyses for each network group and policy combination from the associated
assessment configuration will be shown. If there is an overlap, this may be
confusing.
Policy Analysis
If no policies are selected in an assessment configuration, then the assessment's
results will not be available for generating reports until policies are applied via the ReAnalyze Assessment Results function.
134
If you do not want to analyze your networks against a specific policy, select the
Preventsys Default Vulnerability Policy for each assessment configuration that you
want to return any found vulnerabilities. If you do not select this policy, Preventsys
will not create vulnerabilities, conduct threat correlation, or create remediation tasks,
and you will not be able to view reports based on the assessment results. In this
case, you can still conduct a reanalysis using the Preventsys Default Vulnerability
Policy, which will perform the analysis the same as if the policy been selected before
the assessment ran.
Threat Analysis
If the Threat Analysis option is not selected, then Preventsys will not perform threat
correlation.
In addition to standard network assessments, Preventsys supports the use of
Manual Audit Tasks (MAT) to track and confirm manual audit tasks that do not lend
themselves to traditional electronic solutions. See Manual Audit Tasks (on page 203)
for details.
¾
To add an assessment configuration
1
Configurations, then click Add New. The Add Assessment Configuration
screen appears.
2
Enter name for the assessment configuration in the Name text box.
3
Select the connector configurations you want used during the assessment from
the Named Connector Configs list box.
135
4
Select the network group you want assessed from the Network Group list box.
displayed. Otherwise, only network groups made up completely of networks
5
If you want any assets ignored during the assessment, select their associated
exclusion lists from the Excluded list box.
6
If you want the results of the assessment analyzed, select the policies desired
from the Policies list box. By default, only the latest version of each policy
appears. To see all versions of each policy, click View all.
7
If you want the results of the assessment analyzed against threat alerts, select
Perform Threat Analysis.
8
Editing an Assessment Configuration
Use the Edit Assessment Configuration function to edit existing assessment
configurations.
¾
To edit an assessment configuration
Note: Vulnerabilities are found by the selected connector during an assessment.
Those vulnerabilities are then automatically associated with remediation tasks. If you
edit the connector's checks (or delete a connector ) such that the checks that found
those vulnerabilities will not be run the next time the assessment is conducted, then
the associated Unassigned, Unresolved, and Claimed Resolved remediations will be
automatically verified because of the absence of their associated vulnerabilities.
1
Configurations, then click Edit for the assessment configuration you want to
modify. The Edit Assessment Configuration screen appears.
2
Edit the assessment configuration as desired. Note that the assessment
configuration's name cannot be modified.
3
Deleting an Assessment Configuration
Use the Delete Assessment Configuration function to remove existing assessment
configurations. When you delete an assessment, the associated schedules are also
deleted. In addition, Preventsys changes any remediation tasks associated with that
assessment configuration, which are in the Unassigned, Unresolved, or Claimed
Resolved states to Verified. If these issues are not fixed, they will reappear during
the next assessment that finds them. This allows for a more accurate trending of
issues over time.
136
Note: Due to Preventsys' Coalescing of Multi-vendor Assessment Data, a
remediation can contain more than one vulnerability. If a remediation task contains
multiple vulnerabilities and at least one of them is not associated with the deleted
configuration, then the remediation task is not changed to Verified. However, the
affected vulnerabilities are deleted.
¾
To delete an assessment configuration
1
Configurations, then click Delete for the assessment configuration you want
removed. A confirmation pop-up box appears.
2
Click OK to delete the selected assessment configuration.
Managing Assessment Schedules
Assessment scheduling functions are used to schedule the execution of previously
defined assessment configurations. Assessments can be scheduled to execute
immediately, execute once at a specified date and time, or execute periodically
according to a recurring schedule.
Note that assessments that are configured with a recurring schedule will continue to
be run indefinitely, according to the specified date parameters, until the assessment
schedule is altered by editing or deleting the schedule.
Once you have scheduled assessments you can view the status of all pending
assessments via the View Assessment Status function.
The Create Assessment Schedule function allows authorized Preventsys users to
schedule previously configured assessments for execution. There are three basic
types of schedules:

Execute Immediately

Schedule Once

Recurring Schedule
All assessment schedule administration is conducted from the Assessment Schedule
Management screen.
137
¾
To access the Assessment Schedule Management screen

Schedules. The Assessment Schedules Management screen appears.
Note: If you are a member of the Super User group, then all assessment schedules
are displayed. Otherwise, only assessment schedules for assessment configurations
associated with network groups made up completely of networks that are within the
range of the network permissions of the groups to which you belong are displayed.
From this screen, you can add new schedules as well as view schedules whose start
dates have not yet occurred. For example, if you create a schedule that will start one
week from today, that schedule will appear on the View Assessment Status screen
as a future assessment.
Adding an Assessment Schedule
Use the Add Assessment Schedule function to schedule previously configured
assessments for execution.
You can schedule an assessment configuration to run immediately, once based on a
specific date and time, or recurring based on the frequency you specify.
¾
To run an assessment immediately

Schedules, then click Execute Now. The assessment will run
immediately.
138
¾
To schedule an assessment
1
2

Schedules, then click Add New.

Configurations, then click Schedule for the desired assessment
configuration. The Add Assessment Schedule screen appears.
In the Assessment Name drop-down list, select the assessment configuration
you want to schedule if not already selected.
configurations are displayed. Otherwise, only assessment configurations
associated with network groups made up completely of networks that are within
the range of the network permissions of the groups to which you belong are
displayed.
3
Under Schedule Type, do one of the following:

To have the assessment run when you click Submit, select Execute
Immediately.

To have the assessment run on a certain date and time, select Schedule
Once, enter a start date that is greater than today's date, then enter a start
time.

To have the assessment run more than once, select Recurring Schedule,
enter a start date that is greater than today's date, then enter a start time.
Next, select the frequency on which you want the assessment to run, then
configure the timing options you want. The assessment will run on the
start date and time you specified, and thereafter, based on the frequency
you specified.
139
Note: When selecting a recurring schedule, make sure you enter a valid date.
For example, if you select a yearly frequency and enter February 31st, the
system will accept the date, but it will be internally recalculated to a valid date,
which in this case would be March 2nd.
4
Editing an Assessment Schedule
Use the Edit Assessment Schedule function to edit assessment schedules.
¾
To edit an assessment's schedule
1
From the Preventsys menu, select Assessments > Assessment Schedules,
then click Edit for the assessment schedule you want to modify.
2
Edit the assessment's schedule as desired.
3
To save your changes, click Submit. Changes to the schedule will not affect
assessments that are already running.
Deleting an Assessment Schedule
Use the Delete Assessment Schedule function to remove existing assessment
schedules. Note that when you delete a schedule, the assessment configuration
remains.
¾
To delete an assessment's schedule
1
From the Preventsys menu, select Assessments > Assessment Schedules,
then click Delete for the assessment schedule you want removed. A
2
Click OK to delete the assessment schedule. Deleting the schedule will not
affect assessments that are already running.
Managing Assessments
Once an assessment starts, you can view the details of that assessment as well as
pause, resume, and cancel the assessment. You can also manage which completed
assessments are displayed on the Assessment Management screen using the hide
and un-hide functions.
140
¾
To access the Assessment Status Management screen

From the Preventsys menu, select Assessments > Assessment Status.
The Assessment Status Management screen appears.
From this screen, you can access detailed status information about assessments that
are in progress as well as those that have completed. You can also pause and
resume or cancel assessments, clean up your view by hiding old assessments, and
delete assessments.
Note: If you are a member of the Super User group, then all assessment statues are
displayed. Otherwise, only assessment statuses for assessment configurations
associated with network groups made up completely of networks that are within the
Viewing Assessment Details
The Assessment Details screen presents additional and detailed information about a
specific assessment, such as the scanners used during the assessment, the
schedule, when the assessment was started and when it completed, the completion
status, a list of any asset exclusion lists that were applied, and if there were partial
scan results. It also lists each task conducted for the assessment and the analysis
and their associated statuses.
Note: You can also access details about an assessment by clicking Assessment
Details link.
141
¾
To view details about an assessment

From the Preventsys menu, select Assessments > Assessment Status,
then click Details for the desired assessment. The Assessment Details
screen appears.
Figure 7: Sample Assessment Details screen displaying a successful
assessment and running analysis
Figure 8: Sample Assessment Details Screen displaying a failed
assessment task and therefore partial results are available
142
Figure 9: Sample Assessment Details Screen displaying a failed analysis
task and therefore partial results are available
Pausing and Resuming an Assessment
Use the Pause and Resume Assessment functions to pause an assessment that is in
progress and then resume it at a later time. Only assessments that are in progress
can be paused and only assessments that are paused can be resumed.
Note: You cannot pause assessment imports.
¾
To pause and resume an assessment
1
From the Preventsys menu, select Assessments > Assessment Status, then
click Pause for the assessment you want paused. A confirmation pop-up box
appears.
2
Click OK to pause the assessment. The Pause option is changed to Resume.
3
To resume the assessment, click Resume.
Note: An assessment can also be paused if a network time window closes before
the assessment can complete. Preventsys will automatically resume the
assessment once the time window opens again. See Time Windows (on page 83)
for details.
143
Canceling an Assessment
On the Assessment Status Management screen, there are two ways to cancel an
assessment that is in progress: Clicking Terminate All Immediately stops all
current assessment activity. Selecting Cancel for an individual assessment or
Cancel All will cleanly stop current assessment activity.
When you click any of these options a confirmation popup box is displayed. Click OK
to continue or Cancel to quite. If you selected OK, Preventsys cancels the
assessment(s).
Note: You cannot cancel assessment imports.
Hiding and Un-hiding Assessment Statuses
You can use the Hide functionality to cleanup the Assessment Status Management Standard View screen by hiding completed assessments from view. The hidden
assessment can always be displayed again by using the Unhide option available on
the Assessment Status Management - Extended View screen.
¾
To hide and unhide an assessment
1

then click Standard View to see all in progress assessments and
completed assessments that have not been hidden.

then click Extended View to see all hidden and not hidden in progress
assessments and completed assessments.
2
Click Hide for the assessment you want hidden. A confirmation pop-up box
appears.
3
Click OK to hide the assessment. The assessment can no longer be seen from
the Assessment Status Management - Standard View.
4
To unhide an assessment, go to the Assessment Status Management Extended View screen, then click Unhide for the assessment you want
unhidden. A confirmation pop-up box appears.
5
Click OK to unhide the assessment.
Deleting Assessments
When an assessment is deleted, all vulnerabilities that were initially found based on
that assessment as well as their associated remediations are removed from
Preventsys.
144
Vulnerabilities and their associated remediations that were initially found in previous
assessments and carried forward to the deleted assessment are not deleted. They
remain and keep their latest status (for example, Unassigned, Assigned, Claimed
Resolved, False Positive, Accepted Risk, or Verified). Any re-analyses associated
with the deleted assessment are also deleted. If the deleted assessment is also the
latest assessment, then the previous assessment now become the new latest
assessment for that assessment configuration.
Note: When an assessment is deleted, Preventsys goes into Maintenance Mode
until the removal has complete. If you attempt to delete another assessment before
the removal is complete, the message, “Only one process may run at a time” is
displayed. Wait until Preventsys is no longer in Maintenance Mode to delete another
assessment.
Deleting an Assessment Using the Administrative Client
¾
To delete an assessment using the Administrative Client
1
From the Preventsys menu, select Assessments > Assessment Status, then
click Delete for the assessment you want removed. A confirmation pop-up box
appears.
2
Click OK to delete the assessment.
Deleting an Assessment Using the Preventsys AIU
To delete an assessment using the Preventsys Assessment Import Utility (AIU), the
AIU must first be installed. See Importing from the Command Line (on page 158) for
details about installation.
The p_scan_id parameter must be used with the remove_scan command. The
p_scan_id is the Preventsys Scan ID of scan you want removed.
Before using the AIU, the following arguments must be placed in the file
dataimport.conf in the same directory as the remove_scan utility.
Property values of dataimport.conf

# URL of the Preventsys Administrative Client

145
¾
To delete an assessment using the Preventsys AIU
1
Identify the Preventsys Scan ID for the assessment you want deleted.
Note: To locate the Preventsys Scan ID for an assessment, select Reports >
Executive Summary from the Preventsys menu. Select the desired
assessment from the report context at the top of the screen. After the report
refreshes with the selected data, click Assessment Details located in the top,
right-hand corner of the report. The scan ID is the same as the Assessment ID
(see the following figure).
2
After you have identified the Preventsys San ID for the assessment you want to
delete, use the remove_scan command and the <p_scan_id> parameter to
perform the removal: remove_scan -scan_id <p_scan_id>
For example:
> remove_scan -scan_id 8813212898813212
Local process has finished successfully. Payload is being
sent to the server to be completed....
Successfully removed data for scan_id = 8813212898813212
Understanding the Assessment Lifecycle
Before an assessment can be conducted, you must add at least one Assessment
Server with at least one instance configuration. Next, you need to create an
assessment configuration and an associated schedule.
During an assessment, Preventsys performs the following main tasks:

Network Assessment

Fact Indexing (only occurs if you have the Preventsys Threat Feed feature)
146

Analysis (only performed if you selected a policy when creating the assessment
configuration)
Network Assessment
An assessment configuration identifies the connectors used to gather internal
intelligence (or facts) about your networks such as asset discovery, service port
mapping, OS fingerprinting, and vulnerability detection as well as configuration
information.
Fact Indexing
The Indexing phase begins after the Network Assessment phase. During this phase,
all facts found during network assessment are indexed, so that complex associations
with external threat intelligence can be made during the Analysis phases.
Analysis
After the Indexing phase, an analysis is conducted if a policy was selected in the
assessment configuration. The analysis phase results in vulnerabilities, policy
violations, threat correlation and vulnerability and violation coalescing for the
purposes of reporting and remediation prioritization and tracking.
Note: If you do not want to analyze your networks against a specific policy, you
should still select the Preventsys Default Vulnerability Policy. This policy allows
Preventsys to perform non-policy specific analysis, such as vulnerability coalescing
and threat correlation as described later in this section. If this policy is selected,
Preventsys will not analyze and display vulnerabilities, analyze threat alert data
against your networks, or create remediations based on the assessment.
The Analysis phase uses complex and optimized search and mapping algorithms to
apply policy rules written in the Preventsys Policy Definition Language, and coalesce
vulnerabilities and violations. See Vulnerability and Violation Coalescing (on page
148) for details.
This phase automatically correlates and merges the data from all of your integrated
security solutions, which drastically reduces the effort of manually comparing this
information to external threat intelligence (typically gathered from threat newsletters
and threat analyst services).
The Analysis phase automatically creates remediation tasks, and can alter the
severity and priority of existing remediations tasks based on the contextual
information of each contributing piece of intelligence. If you have configured an
external patch management system, Preventsys queries that system during this
phase to determine if it can patch any of the vulnerability type remediations found.
See Managing External Patch Management Systems (on page 193) for details.
147
Threat Intelligence Correlation
If you have the Preventsys Threat Intelligence feature, this phase will correlate threat
intelligence data with facts about your network that may expose you. Threat date
received via the Preventsys Threat Intelligence Connector undergoes a complex
associative analysis with the internal vulnerability and policy violation intelligence that
the Preventsys Management Server has in its database about your enterprise
network. All this is accomplished without re-scanning and without you having to do
all the manual correlation. The Threat Intelligence feature is only available if a threat
feed URL was specified during configuration. See the McAfee Preventsys Risk
Analyzer and Compliance Auditor Installation Guide for details.
The resulting analysis is a rapid and easy to understand association between devices
at risk to a given threat, exposure based on that threat and most importantly,
prioritization of unresolved remediation tasks that are that are associated with the
threat.
Note: You can turn off the Threat Intelligence Correction phase of analysis by
deselecting the Perform Threat Analysis checkbox.
Vulnerability and Violation Coalescing
Preventsys integrates a number of different pieces of security technology using its
Connector APIs. Many of the products integrated in this manner give similar pieces
of information. Even the same product will often give reams of data related to the
same problem. Preventsys helps reduce this data overload by combining related
information where possible into a single piece of information. Preventsys always
displays the description provided by each source because these sources can have
unique information about the same issue.
Vulnerability Coalescing
When two different scanners find the same vulnerability, Preventsys coalesces these
into one vulnerability. For example, Nessus and Nmap will often report the same
vulnerability for the same asset in different ways for the same or multiple ports.
Preventsys coalesces these issues into one item with multiple descriptions, when
possible, so that fewer remediation items and less data overload occur, resulting in
higher value information.
Another example of vulnerability coalescing is if Nessus, ISS SiteProtector, and eEye
Retina were all utilized in the same assessment and found the same vulnerability, but
provided very different descriptions. Preventsys coalesces all this information into
one vulnerability and one remediation item with multiple descriptions. By doing this,
no data is lost, but rather is organized for more productive usability.
Coalescing reduces the huge amount of manual correlation you typically need to do
when using each of these types of integrated products and alerts individually.
The coalesced icon
following areas:
lets you to identify coalesced vulnerabilities easily in the
148

Comparative Compliance Report

Network Standard Report

Network Group Standard Report

Operating System Standard Report

Asset Summary Report

Asset Standard Report

Asset Details Report
The descriptions and solutions for vulnerabilities that are coalesced will be grouped
by scanner name and the associated test ID and test name. Descriptions and
solutions for coalesced vulnerabilities are viewable in the following areas:

Asset Summary Report

Asset Details Report

Remediation Details
Figure 10: Asset Summary Report displaying a coalesced vulnerability - The
vulnerability that was found by both Qualys and Nessus
149
Violation Coalescing
When two different scanners find the same violation, Preventsys coalesces these
into one violation. Coalescing helps reduce manual correlation, and since only one
remediation task is created, it helps reduce task management time as well.
Rules must be specifically written to allow for violation coalescing. For details about
which Preventsys rules allow coalescing, see the McAfee Preventsys Risk Analyzer
and Compliance Auditor Policy Reference Guide . For information about how to write
rules that allow coalescing, see the McAfee PolicyLab Product Guide.
Understanding Assessment Status
The following phases are displayed during an assessment.

Assessing: Preventsys is using the information in your assessment
configuration to gather facts about your networks using the specified scanner

Indexing: Preventsys is indexing all facts found during assessment (that is the
scan results) so that they can be compared against threat alters during analysis
(only occurs if you have the Preventsys Threat Intelligence feature). The
connectors. The Assessing icon
Indexing icon

is displayed during this phase.
is displayed during this phase.
Analyzing: Preventsys is applying the policy (or policies) specified in the
assessment configuration against the results obtained during assessment (only
occurs if you selected a policy), analyzing the latest threat alerts (only occurs if
you have the Preventsys Threat Intelligence feature), and grouping like
vulnerabilities for the same asset into one remediation. This phase results in
vulnerability, policy violation and threat correlation and coalescing for the
purpose of reporting and remediation prioritization and tracking as well as the
creation of remediation tasks. The Analyzing icon
this phase.

is displayed during
Complete: Preventsys has completed all tasks associated with the
assessment. Refer to the Status to for information about whether the
assessment was completed successfully or with errors. The Complete icon
is displayed at this time. While the assessment maybe complete,
you must check the Status column to know whether the assessment was
completely successful, successful with warnings, or failed

Successful: The assessment completed as expected

Successful with Warnings: At least one of the assessment's tasks failed.
When this happens, Preventsys will still attempt to complete the assessment.
Assuming that at least one task can be completed successfully, Preventsys will
return partial results. The icon is displayed if this occurs.

Failed: Several things can cause an assessment fail. If Preventsys cannot
complete the assessment, it will return a “Failure” message.
150
About Partial Results
If not all tasks conducted during the Assessing phase completed successfully,
Preventsys will save the results it was able to obtain for report viewing and
reanalysis. The Assessment Details screen will display information about which
assessment tasks completed successfully and which failed.

If not all tasks conducted during the Analyzing phase completed successfully,
Preventsys will save the results it was able to obtain for report viewing.
If an assessment returns partial results, remediation tasks will be handled as follows:

No remediation tasks will be verified because of the assessment.

If your assessment used the Preventsys Default Vulnerabilities policy, then
Claimed Resolved remediation tasks will be reopened if the associated
vulnerabilities are re-identified and new remediation tasks will be created for any
new vulnerabilities found. Note that this is the same behavior as with
successfully completed assessments.
Note: You can view the status of the latest five assessments run via the
Assessment console on the Security Risk Dashboard.
All assessment status administration is conducted from the Assessment Status
Management screen.
Importing External Assessment Data
Preventsys supports the import of externally obtained assessment data from a file as
well as result sets directly from a connector. See Supported Sources for Import (on
page 153) for a list of specific connectors supported by Preventsys. This section
provides information about the different types of imports Preventsys supports, what
you need to setup prior to importing, considerations for file import order and override
dates, as well as details about how import data is merged and analyzed.
Understanding Import Sources and Types
Preventsys supports the import of assessment data from a file as well as scan result
sets directly from a connector. See Supported Sources for Import (on page 153) for
details about types of connectors supported for import.
Note: Please contact McAfee Solution Services for information about XSL
transforms that Preventsys has created.
151
Scan Imports

Scan Import: This type of import allows you to import result sets directly from a
supported connector. After selecting the correct type and source on the Import
Assessment Data screen, Preventsys displays a list of result sets from the
selected connector that are available for import. You select a result set to
import, the connector obtains the data and transforms it into the Preventsys
XML format, and Preventsys will then import the data. See To use scan-based
import (on page 157) for details. Scan Import is also considered a connectorbased import because it relies on the connector for data.

Scheduled Import: This type of import is similar to Scan Import except that it
allows you to control when the data is imported based on the schedule you
create and associate with the assessment configuration. Also, instead of you
selecting a specific set of existing data from the connector's scan import screen,
Preventsys selects the data to import based on the criteria you've specified in
the connector and assessment configurations and based on the data that is
available at the time of import.
Therefore, scheduled Import is not initiated from the Import Assessment Data
screen, but rather by scheduling the assessment configuration. After you setup
your import criteria in an assessment configuration, the connector gets the
existing result set that matches your criteria based on the schedule you've
created, then transforms it into the Preventsys XML format. Preventsys will
then import the data. See To schedule an import (on page 158) for details.
Scheduled Import is also considered a connector-based import because it relies
on the connector for data.
File Imports
Note: File-based imports can only accept one uncompressed XML result file at a
time.

Preventsys XML Import: This type of import allows you to import any file that
is already in the Preventsys XML format. After selecting the correct type and
source on the Import Assessment Data screen, give the XML file to Preventsys,
and Preventsys will then import the data. See To use file-based import (on page
156) for details.

Generic XML: This type of import should be used if the file you want to import
is not in the Preventsys XML format, but you have a transform XSL file that will
do the conversion. After selecting the correct type and source on the Import
Assessment Data screen, give the XML file to Preventsys along with the XSL
transform file. Preventsys will then apply the transform and import the file.

Connector File Import: This type of import depends on the connector to
transform the file into the Preventsys XML format. After selecting the correct
type and source on the Import Assessment Data screen, give the file to
Preventsys. The connector transforms the file into the Preventsys XML format,
and Preventsys will then import the data. While the file format does not have to
be XML (for example, Nessus NSR is accepted), the file format does have to be
recognized by the connector so that it can be converted to the Preventsys XML
format Connector File Import is also considered a connector-based import
because it relies on the connector for data.
152

Preventsys AIU File Import: This type of import allows you to use internal XSL
transforms that Preventsys has created for several connectors. After selecting
the correct type and source on the Import Assessment Data screen, give the
XML file to Preventsys, and then the Preventsys Assessment Import Utility (AIU)
will automatically apply the XSL transform to your file during import. The AIU
can also be run at the command line. See Importing from the Command Line
Supported Sources for Import
Preventsys supports the import of assessment data from the following sources and
associated assessment tools.
Supported for Scan Import
Scan Import

AlterPoint

AppDetective

Configuresoft

FoundScan

ISS SiteProtector

QualysGuard

Retina

ScanAlert
Scheduled Import

AlterPoint

Configuresoft
Supported for File Import

Preventsys XML: Any file in the Preventsys XML format

Generic XML: Any generic XML file with a XSL transform file that will convert it
to the Preventsys XML format
Connector File Import

FoundScan (Risk and Host Data XML Results)

MBSA (XML/Zip)

Nessus (Nessus NSR)

Nmap (XML)

QualysGuard (Qualys XML)
Preventsys AIU File Import

AppDetective (Single Session and Single Application XML)

AppScan (Appscan XML)

FoundScan (FoundScan Risk Data XML)

nCircle (nCircle XML2)
153

Nessus (Nessus XML)

NeXpose (NeXpose Raw XML)

NGSSquirrel for Oracle (NGSSquirrel XML)

NGSSquirrel for SQL Server (NGSSquirrel XML)
Additional Import Setup Criteria
Preventsys XML, Generic, and Preventsys AIU File Imports
For these types of imports, you must have at least one assessment configuration
that will be associated with the import. This assessment configuration can be
associated with any connector configuration, and you do not need a connector
instance for the same type of connector that generated the XML file you want to
import.
Scan Import, Scheduled Import, and Connector File Import
For these types of imports, you must add an instance configuration and a connector
configuration for the type of assessment tool you want to import data from, then
associate that connector configuration to an assessment configuration.
All Import Types
In addition to the previous criteria, the network group you select in the assessment
configuration that you will associate with your import must include the range of IPs
associated with the data you want to import. Hosts data outside the ranges of this
network group will not be imported. You do not need to conduct assessments with
the assessment configuration you create prior to importing a file. The assessment
data can be imported into an assessment configuration for which no assessments
have been run.
Determine File Import Order
If you will be importing more than one file in a series, consider organizing these files
in the historical order in which you want them presented in Preventsys. Thus, the
file with the oldest time should be imported first, followed by the next oldest and so
on. The most recent file should be imported last. Please allow time in between the
imports for Preventsys to perform its indexing of the result set for analysis.
Note: Imported assessment data will be put in the database sequentially. Imported
assessment data cannot be placed in the middle of a sequence of assessments.
Specifying an Override Date
Use the Override Date option on the Import Assessment Data screen to specify a
different start time than the time specified in the XML file.
154
If you do not specify an Override Date when you import a file, the start_time in the
XML file being imported will be used as the start date and time of the assessment.
However, the start_time must be later than the time of the latest assessment
associated with the assessment configuration you select on the Import Assessment
Data screen. If it is not, then the import will fail unless you specify a later time using
the Override Date option.
When importing a scan if you do not specify an Override Date, the start_time in the
scan will be used as the start date and time of the assessment. If neither of these is
available, Preventsys will use the time that the import was started.
How Imported Data is Merged and Analyzed
Preventsys merges imported data with existing data and, if configured to do so,
analyses the resulting data.
Merge With Latest Assessment Data: As part of the import, Preventsys merges
the imported assessment data with the latest assessment data for the assessment
configuration you specified, filtering out any duplicate vulnerabilities (that is the same
vulnerability found on the same host using the same assessment tool). The resulting
assessment becomes the new latest assessment for the assessment configuration
you specified. This merging of assessment data prevents remediation tasks from
being closed due to missing data in the import file.
Note: The merging of assessment data is optional. If you turn this function off, then
the imported assessment data will not be merged with any other assessment data.
The new latest assessment will only include the imported data. Remediations
associated with vulnerabilities found on hosts in previous assessments that are not
in the imported data will be changed to Verified due to the absence of their
reoccurrence.
Assessment Configuration Inheritance: After an import, the new latest
assessment is treated as if it had been run by Preventsys. It is displayed in the
Assessment Console on the Security Risk Dashboard (assuming that the time
specified falls in the range of the latest five assessments), and on the View
Assessment Status screen. This new assessment also inherits the hosts, networks,
network group, and policies of the associated assessment configuration.
Assessment Data Analysis: If the associated assessment configuration has a
policy, then policy analysis will take place automatically after the import. If the
assessment configuration does not contain a policy, then no analysis will be
conducted as part of the import (that is no vulnerabilities or violations will be
created). You will need to conduct a re-analysis with the assessment to identify
vulnerabilities and violations.
155
Importing from the Preventsys Administrative Client
From the Preventsys Administrative Client you can import assessment data files as
well as scan results directly from connectors. Before you begin importing
assessment data, see Additional Import Setup Criteria (on page 154) to make sure
you have the necessary configurations. Also, see Understanding Import Sources and
Types (on page 151) for information about the different import types supported by
Preventsys and Supported Sources for Import (on page 153) for a list of assessment
tools and connectors supported by Preventsys.
¾
To use file-based import
1
Setup your connectors and assessment configuration as specified in Additional
Import Setup Criteria (on page 154).
2
Configurations, then click Import under the Functions column for the
assessment configuration into which you want your file imported. The Import
Assessment Data screen appears.
3
On the Import to Assessment Configuration drop-down list, select the
assessment configuration you want to use for the import. The assessment
configuration you selected on the previous screen is pre-selected for you.
Note: The Import to Assessment Configuration drop-down list only contains
assessment configurations associated with network groups made up completely
of networks within the range of the networks to which you are associated via
your groups.
4
In the Override Date text box, enter the date and time the assessment
occurred. If you do not enter a date and time, the date and time specified in the
file is used. The format of the date and time must be yyyy-mm-ddTHH:mm:ss
(for example, 2004-07-27T22:36:20) and is always in GMT. See Specifying an
Override Date (on page 154) for details.
5
To merge the data in the file with any previous assessment data for the selected
assessment configuration, select Merge with Latest Data. See How Imported
Data is Merged and Analyzed (on page 155) for details.
156
6
On the Source drop-down list, select File.
7
From the Type drop-down list, select the format of the file you are importing.
See Understanding Import Sources and Types (on page 151) for details.

Preventsys XML: Select this option if the file is already in the valid
Preventsys XML format. An XSL transform is not required.

Generic XML: Select this option if you have an XSL transform that will
convert the file into valid Preventsys XML.

Preventsys AIU Import: The assessment tools and associated formats
supported by Preventsys are listed after the Generic XML option. Select
the one that corresponds to the assessment tool used to export your file.
An XSL transform is not required.

Connector File Import: The assessment tools and associated formats
supported by Preventsys are listed after the Generic XML option. Select
the one that corresponds to the assessment tool used to export your file.
An XSL transform is not required.
Note: To determine if the Type you selected is a Connector File Import or a
Preventsys AIU File Import, go to Supported Sources for Import (on page 153)
and look for the name of the connector you selected.
8
Click Next. The Import File screen appears for the connector you selected.
9
Enter the path/location of the file you want to import. If the format type you
selected requires an XSL transform, enter the path/location of that file as well.
10 Click Submit to import your data.
¾
To use scan-based import
1
Setup your connectors and assessment configuration as specified in Additional
Import Setup Criteria (on page 154).
2
157
3
Note: The Import to Assessment Configuration drop-down list only contains
assessment configurations associated with network groups made up completely
of networks within the range of the networks to which you are associated via
your groups.
4
In the Override Date text box, enter the date and time the assessment
occurred. If you do not enter a date and time, the date and time specified in the
file is used. The format of the date and time must be yyyy-mm-ddTHH:mm:ss
(for example, 2004-07-27T22:36:20) and is always in GMT. See Specifying an
Override Date (on page 154) for details.
5
To merge the data in the file with any previous assessment data for the selected
assessment configuration, select Merge with Latest Data. See How Imported
Data is Merged and Analyzed (on page 155) for details.
6
On the Source drop-down list, select Scan.
7
On the Type drop-down list, select the assessment tool from which you want
the data imported.
8
On the With Connector Instance drop-down list, select the instance
configuration you want used. The instance configuration must be valid and
running on an available assessment server or it may not be displayed.
9
Click Next. The Import Scan screen appears.
10 Select the scan results you want to import.
11 Click Submit to import your data.
¾
To schedule an import
1
Add an instance of the desired connector on your assessment server. See
Adding Instance Configurations (on page 35) for details.
2
Add a connector configuration for the connector instance you added. See
Adding a Connector Configuration (on page 131) for details.
3
Add a network group that includes the range of IPs associated with the data you
want to import. Hosts data outside the ranges of the network group will not be
imported. See Adding a Network Group (on page 89) for details.
4
Add an assessment configuration using the connector configuration you added.
See Adding an Assessment Configuration (on page 134) for details.
5
Schedule the assessment configuration you added. See Adding an Assessment
Schedule (on page 138) for details.
6
Preventsys will import the data, at the time or times of the schedule, that match
the criteria you specified in the connector and assessment configurations.
Importing from the Command Line
The Preventsys AIU can be used from the command line to import supported
assessment data files. You must first install Java, and then the files supporting
these functions using the following installation instructions. Note that these
commands are supported for both Windows (batch files) and Linux (shell-scripts).
158
¾
To install the AIU
1
Install Java JDK or JRE v1.4.x
2
Create a new System Environment Variable and name it JAVA_HOME
3
Modify your existing System Environment Variable PATH so that it includes
%JAVA_HOME%/bin
4
Verify that JAVA_HOME is set by running a new command window and typing
'set JAVA_HOME'
5
Verify that %JAVA_HOME%/bin is now in your PATH by typing 'set PATH'
6
Unzip the preventsys_data_manipulation_v1.1.zip file to any directory
7
Add the associated dataimport.conf property values to the import_file
and import_scan directories.
8
Run the import_file, import_scan, or remove_scan command as desired.
Property Values of dataimport.conf for import_file
Before using import_file, the following arguments must be placed in the file
dataimport.conf in the same directory as the import_file utility.

Property values of dataimport.conf for import_scan
Before using import_scan, the following arguments must be placed in the file
dataimport.conf in the same directory as the import_scan utility.

# Qualys scanner required variables

dataimport.qualys.key.deleteres = Off

dataimport.qualys.key.appliancename = <appliance name>

dataimport.qualys.key.password = <password>

dataimport.qualys.key.optionspolicy = <policy>"SANS20
Options"

dataimport.qualys.key.username = <qualys user name>
159

preventsys.login.password =<preventsys password>

Importing a File
The following parameters are used with the import_file command.
Parameter
Description
<pconfig_name>
The Preventsys Assessment Configuration Name with which
you want the imported data to be associated. Generally, this
will be the Assessment Configuration whose network group
definition most closely matches the ranges of hosts in the
imported scan. You can find the Preventsys Assessment
Configuration Name in the Assessment Status window.
Remember to put the assessment configuration name in
quotes if it contains spaces. Preventsys recommends always
using quotes regardless.
<xml>
The name of the xml file to import
<xsl>
An optional parameter that will transform the given XML into
the Preventsys Assessment Data format if it is not already in
that format.
<time>
An optional parameter for when you want to specify the
assessment date; format is yyyy-mm-ddTHH:mm:ss (for
example, 2004-07-27T22:36:20) and is always in GMT
<roll true|false>
An optional parameter that will turn off assessment data
merging if -roll false. If not present then default is roll=true.
¾
To import a file using the AIU

Run the following import_file command using any optional parameters
desired:
import_file -xml <xml> -paconfig <p_config_name>
Example using all optional parameters:
import_file -xml <xml> [-xsl <xsl>] [-time <time>] paconfig <p_config_name> -roll false
Example with actual values:
> import_file -xml NESSUS.xml -xsl ./NESSUS.xsl -time
2004-07-27T22:36:20 -paconfig “MyNessusCompliantServers”
-roll false
160
Importing a Scan
The following parameters are used with the import_scan command.
Parameter
Description
<scanner_type>
The type of scanner/assessment tool.
<scan_id>
The scan id of the external scan to import (for
example, scan/1108521446.20654).
<pconfig_name>
The Preventsys Assessment Configuration Name with
which you want the imported data to be associated.
Generally, this will be the Assessment Configuration
whose network group definition most closely matches
the ranges of hosts in the imported scan. You can find
the Preventsys Assessment Configuration Name in the
Assessment Status window.
Remember to put the assessment configuration name
in quotes if it contains spaces. Preventsys
recommends always using quotes regardless.
<connector_name>
The name of instance configuration associated with
the scanner type you entered that is to be used in the
import
<assessment_server_name>
The name of assessment server associated with the
instance configuration that you entered
<time>
An optional parameter for when you want to specify
the assessment date; format is yyyy-mmddTHH:mm:ss (for example, 2004-07-27T22:36:20)
and is always in GMT
<roll true|false>
An optional parameter that will turn off assessment
data merging if -roll false. If not present then default is
roll=true.
¾
To import scan results using the AIU

Run the following import_scan command using any optional parameters
desired:
import_scan -scanner_type <scanner_type> -scan_id
<scan_id> -paconfig <config_name> -pci <connector_name>
-pas <assessement_server_name>
Example using all optional parameters:
import_scan -scanner_type <scanner_type> -scan_id
<scan_id> -paconfig <config_name> -pci <connector_name>
-pas <assessement_server_name> [-time assessment_time]
[-roll true|false]
Example with actual values:
161
> import_scan -scanner_type qualys -scan_id
scan/1137454348.25445 -paconfig qualys2-9 -pci qualys pas as13 -time 2004-07-27T22:36:20 -roll false
Local process has finished successfully. Payload is
being sent to the server to be completed....
Successfully imported data.
1942261186194227
New Preventsys scan_id =
Viewing the Status of an Import
After a file or scan is imported, the status of that import can be viewed on the
Assessment Status Management screen. See To access the Assessment Status
Management screen (on page 141) for details.
The Assessment Status screen sorts in ascending order by the date and time the
assessment was conducted. For imports, either the file's date and time or the
override date and time you specified is used. Therefore, the status of your import
may not appear on the first page if there are other assessments with later dates. To
locate your assessment, click the Started column heading to resort the results in
ascending or descending order, or click through the page numbers to view other
assessments.
Re-Analyzing Assessment Results
Use the Re-Analyze feature to re-analyze all successful assessments (even if only
partial results were obtained) against another policy (or policies) regardless of
whether your initial assessment included a policy. Preventsys will send the
administrator who initiated the re-analysis an email notification upon its completion.
Re-analyzing an assessment is the same as running that assessment again except
that existing scan results are used instead of rescanning the associated assets.
Therefore, when an assessment is re-analyzed, the result becomes the latest
assessment for the associated assessment configuration. Before conducting a reanalysis, make certain you understand what happens to exiting remediations during
subsequent assessments. See About the Remediation Lifecycle and Workflows (on
page 165) for details about how remediations are created, verified, and reopened.
Note: Conducting a reanalysis against an older assessment will result in the old
assessment becoming the latest assessment for that assessment configuration.
This may cause Remediation Tasks to change state based on this old data. If you
conducted a reanalysis by mistake and want to remove the resulting assessment,
please see Deleting Assessments (on page 144).
162
Re-Analyzing an Assessment's Results
Use the Re-Analyze Assessment Results function to run analysis based on PDL
policies you select.
¾
To re-analyze an assessment's results
1
From the Preventsys menu, select Assessments > Reanalyze. The Select
Order to View Assessments screen appears.
2
Select whether you wish to view the list of scan results chronologically or
alphabetically.
3
Click Next. The Re-Analysis Management screen appears.
4
In the Select an Assessment drop-down list, select which assessment you
wish you re-analyze.
Note: If you are a member of the Super User group, then all assessments are
displayed. Otherwise, only assessments for assessment configurations
displayed.
5
In the Select a Policy list box, select which policies you wish to apply to the
assessment.
6
Click Submit to being the reanalysis.
163
Viewing the Status of a Re-Analyzed Assessment
¾
To view the status of an assessment reanalysis

From the Preventsys menu, select Assessments > Reanalysis Status. The
Reanalysis Status Management screen is displayed.
Note: If you are a member of the Super User group, then all reanalysis statuses are
displayed. Otherwise, only reanalyzes for assessment configurations associated
with network groups made up completely of networks that are within the range of
the network permissions of the groups to which you belong are displayed.
Once a reanalysis has completed, you can click Scanresults XML to view the
associated XML results.
164
Chapter 9
Remediations
Preventsys' remediation tasks allow you to prioritize, assign, and track the issues
that need to be fixed to protect your critical IT assets. This chapter provides details
about managing and assigning remediations tasks, including creating rules that
automatically assign tasks for you based on the criteria you specify, and specifying
due dates based on a task's priority.
To further customize Preventsys, you can integrate with an external remediation
system, which will allow you to assign Preventsys remediation tasks to a user of that
external system. This user can then update the status of those tasks in the external
remediation system and Preventsys will reflect that status. See Managing External
Remediation Systems (on page 185) for details.
You can also integrate with an external patch management system, which will allow
you to send remediation tasks to that system for automated patching. See
Managing External Patch Management Systems (on page 193) for details.
Useful Terms

Remediation Task: A remediation task is automatically created by system
based on either a vulnerability or a violation found by during the Analysis phase
of an Assessment. This task can be assigned to a user, so that it can be fixed,
and then verified by Preventsys.

Vulnerability Type Remediation Task: A Vulnerability Type Remediation Task
is automatically created based on a vulnerability found by during the Analysis
phase of an Assessment.

Violation Type Remediation Task: A Violation Type Remediation Task is
automatically created based on a violation found by during the Analysis phase of
an Assessment.

Manual Audit Type Remediation Task: A Manual Audit Type Remediation
Task is automatically created when a violation is found based on a Manual Audit
Task Rule during the Analysis phase of an Assessment.
About the Remediation Lifecycle and Workflows
Remediation Tasks can be managed through bulk assignment and the Assignment
rules you create, and can be assigned to users of external remediation systems.
165
Remediations
Remediation Status Lifecycle
While the status of each task is tracked, prioritized, and verified automatically, user
overrides are also allowed. These statuses can be managed individually or in bulk.
The basic lifecycle of a remediation task includes four main stages:

Unassigned

Unresolved/Assigned

Resolved (Claimed Resolved, False Positive, or Accepted Risk)

Verified
1
Claimed Resolved tasks are changed to Assigned if they cannot be Verified and the user
account for the previously assigned remediator is still active, and he is still a remediator for the
network group associated with the task.
2
Claimed Resolved tasks are changed to Unassigned if they cannot be Verified and the user
account for the previously assigned remediator is no longer active or he is no longer a
remediator for the network group associated with the task.
3
User can request that a task be reassigned and the task will be changed to Unassigned.
4
Only Super Users and users with the Remediation Assignment privilege can reassign a task
that is Unresolved, False Positive, or Accepted Risk.
A remediation is considered resolved if it has one of the following statuses: Claimed
Resolved, False Positive, or Accepted Risk. However, only tasks with the
Unassigned, Assigned, and Claimed Resolved status can be verified by Preventsys.
By marking a task as False Positive or Accepted Risk, you are telling Preventsys that
you have acknowledged the policy violation or vulnerability and no longer want to be
notified of its existence or verified by Preventsys.
166
Remediations
Following task assignment, Preventsys will automatically generate email notifications
informing the selected remediators of all task assignments. Remediators can then
access the Update Remediation Task function via links in the email notification to
update the status of their tasks or directly via the main menu. Note that users
associated with external remediation systems will not receive email notifications.
Note: Tasks may also be assigned to users in external remediation systems, which
have been configured to work with Preventsys.
If a user loses authorization to an asset for which they have assigned remediation
tasks (that is they are removed from a group, the group is edited, the networks
associated with the group are edited, or the user's account is deleted), then those
tasks that are not in the Claimed Resolved, False Positive, Accepted Risk, or Verified
state will be automatically set to Unassigned. The exception to this is if the user
belongs to another group with the Resolve Remediation permission for a network
whose range includes the asset to which the user lost authorization, then tasks
associated with that asset will not be affected. See How Remediation Tasks Are
Affected (on page 63) for more details.
Once a remediation task has been completed and its status changed to Claimed
Resolved, the fix may be verified by running the assessment configuration that
originally resulted in the detection of the associated policy violation or vulnerability.
Remediation Workflow Example
The Fictitious company has one lead IT administrator, John, who is in charge of
scheduling assessments, reviewing reports, and assigning remediation tasks. John
has two IT personnel who fix remediation tasks, Susan and Bob. When policy
violations and vulnerabilities are identified, the John assigns the corresponding
remediation tasks to Susan and Bob, both of whom then receive emails informing
them of their respective tasks.
Susan and Bob click on the link provided in their task assignment email, which takes
them to a list of their tasks in Preventsys (login is required). They review their
assigned tasks, fix the issues, then update each task's status to Claimed Resolved.
John can then schedule a new assessment utilizing the previous assessment
configuration (including the same policy), which will verify that the detected policy
violations and vulnerabilities have been fixed. If the policy violations and
vulnerabilities are not found again during this assessment, their statuses are
automatically changed from Claimed Resolved to Verified. Tasks that are still
Unassigned or Assigned and not found again will also be changed to Verified.
The status of any policy violations and vulnerabilities that are found again will be
automatically changed from Claimed Resolved to Unassigned (that is they are
reopened).
All remediation task administration is conducted from the Remediation Task
Management screen.
167
¾
Remediations
To access the Remediation Task Management screen

From the Preventsys menu, select Tasks > Remediation Tasks. The
Remediation Task Management screen appears.
If you have tasks assigned to you, the My Tasks tab is displayed by default
with your tasks listed. Otherwise, the Task Assignment tab is displayed.
If you are a member of the Super User group, then all remediation tasks are
displayed in the Task Assignment tab. Otherwise, only remediation tasks
associated with hosts that are within the range of the network permissions
of the groups to which you belong are displayed. In addition, all Manual
Audit Task violations are displayed regardless of your group permissions.
From the Task Assignment tab on the Remediation Task Management screen, you
can view details about individual tasks, assign and reassign tasks, and change the
priority of tasks. You can also use the Filter Options and Column View Options tabs
to filter and view different information. Note that by default, tasks on this screen are
displayed in the order of their priority; highest priority first.
Note: You can also access this screen via the Security Risk Dashboard by selecting
the » tab located in the Latest Tasks area of the Remediation console. Tasks are
automatically filtered by the active Enterprise Group when the screen is accessed in
this way. Use the Filter Options tab to turn off Enterprise Group filtering.
From the My Tasks tab on the Remediation Task Management screen, you can view
details about individual tasks and resolve your tasks. You can also request that any
of your tasks with the Accepted Risk or False Positive resolution be reassigned.
Only tasks assigned to you that are also associated with hosts that are within the
All Manual Audit Task violations assigned to you are also displayed.
168
Remediations
You can also access this screen via the Security Risk Dashboard by selecting the »
tab located on the My Tasks area of the Remediation console.
Assigning Remediation Tasks
Use the Assign Remediation Tasks function to assign new remediation tasks. Note
that you can only assign tasks using the latest analysis. Tasks that were not
assigned in similar, previous analyses are carried forward to the latest analysis.
After a task is assigned, it can be reassigned as long as it does not have the Claimed
Resolved or Verified status. The assignee can also request that a task with the False
Positive or Accepted Risk status be reassigned by selecting the Reassign status on
the Remediation Task Update screen. The task's status is then automatically
changed to Unassigned.
Note: Users in external remediation systems can only reassign Preventsys tasks
that have the Assigned status.
When tasks that are assigned to an external remediation user are reassigned to a
different external remediation user associated with the same external system,
Preventsys simply reassigns the task and updates the external system with the new
information. If the two external users are associated with different external systems,
Preventsys updates the task in the first system by changing its status to Closed and
sends the reassigned task to the associated external remediation system.
If there are errors while attempting to send an external user's task assignment to the
associated external remediation system, Preventsys will display an error screen
listing each task and the associated error, including the error code and message
generated by the external system when available. The specified tasks will remain
unassigned until they are successfully reassigned.
169
Remediations
About Severity
The severity of each remediation task is automatically calculated by Preventsys
based on the severity of the associated vulnerability or violation. A task's severity
can also be changed by Preventsys if an associated threat alert is found. Changes to
severity are noted in the History/Comments section of the Remediation Details
screen.
Figure 11: Sample Remediation Details screen displaying system
comments about changes to the task's severity
About Priority
The priority of each remediation task is automatically calculated by Preventsys based
on the associated severity, financial impact, and operational impact of the associated
asset, relative to the highest exposure value of all assets. However, you can also
manually enter your own priority if desired. The priorities you enter will take
precedence over the priorities calculated by Preventsys.
About Due Date and Criticality
Due dates for remediation tasks are optional and can be specified in two ways:
automatically calculated by Preventsys or manually entered by the user.
170
Remediations
System Calculated Due Dates
Preventsys calculates due dates for remediation tasks based on how you decide to
map priority ranges to criticality levels. You setup this mapping on the System
Preferences screen. There are three criticality levels: High, Medium, and Low. The
defaults for these levels are as follows:

Low = 0 - 50

Medium = 51 - 80

High = 81 - 100
Preventsys does not provide default due dates. Therefore, if you do not provide due
dates for the criticality levels, remediation tasks will display N/A for the due date.
You will still be able to manually enter due dates on the Remediation Task
Management Assignment screen.
¾
To change the criticality levels and due dates for remediation
tasks
1
From the Preventsys menu, select Admin > Preferences. The Preferences
screen appears.
2
To set the remediation priority range for each criticality level, click and hold the
slider control while moving your mouse left to right.
3
In the Due In text box, enter the number of days after which the task should be
completed. For example, you can want highly critical tasks fixed within one day,
but lower tasks can be fixed within six days. The actual date is automatically
calculated by Preventsys after the remediation task is created.
4
Click Submit to save your settings
Note: Due dates are automatically re-calculated whenever the remediation task's
priority is changed. If the change is such that the priority is bumped into the next
criticality level, then the due date will change to reflect this.
171
Remediations
Manually Entered Due Dates
You can manually enter due dates on the Remediation Task Management
Assignment screen by typing the desired date in the Due Date field and selecting
Submit. Due Date can be entered manually regardless of whether Preventsys has
calculated a due date.
Note: The due dates you provide will take priority over calculated due dates.
Assigning or Reassigning a Remediation task
For each remediation task, The Assign To list will only display users that belong to
groups with both the Resolve Remediations permission and network permissions
that include the host associated with the remediation. In addition, all Unassociated
External Users (users associated to an external remediation system that do not have
an associated Preventsys username) are also displayed.
¾
To assign or reassign a remediation task
1
From the Preventsys menu, select Tasks > Remediation Tasks, then select the
Task Assignment tab.
2
For each task you want to assign or reassign, select the assignee from the
associated Assign To drop-down list. The Assigned To column displays to
whom the task is currently assigned.
Note: The Assign To dropdown list displays users with the Remediation
resource and Resolve Remediations permission that are associated with
networks via their user group(s), which contain the host associated with the
remediation task. For Manual Audit Task violation remediations, all users with
the Remediation resource and Resolve Remediation permission are displayed
regardless of their network permissions.
172
Remediations
3
To change the priority of a task, enter the desired priority in the corresponding
Priority text box. Priority, which is calculated for you automatically, can affect
the task's due date. If you enter your own priority for a task, Preventsys will use
that value and will no longer automatically calculate the priority for you. This
operation cannot be undone.
4
Click Submit to assign the tasks and apply any changes you made to task
priority.
5
Preventsys automatically sends email notifications to all selected assignees.
Tasks assigned to external remediation system users are forwarded to the
associated external remediation system.
Note: If for any reason Preventsys cannot send the assignment email
notification to an assignee (for example, there is an email server error or the
recipient(s) address is incorrect), the task(s) will still be assigned. A message
will be displayed on the Task Assignment screen altering you to the issue.
Preventsys will not attempt to resend the email, so please notify assignees if
they have urgent tasks that need to be resolved.
Bulk Assignment
You can assign several tasks at one time to the same user.
¾
To assign several tasks to the same user
1
Task Assignment tab.
2
Select the checkbox for each remediation task you want to assign to a single
user.
3
In the in the With selected, assign to drop-down list, select the user's name to
which you want to assign the selected tasks.
4
To assign the tasks, click Submit.
5
All of the remediation tasks you selected are assigned to the user you specified
as long as that user has permission to the associated assets. Remediation tasks
for assets that the user does not have access to are not assigned.
Filtering Remediation Tasks
You can filter remediations tasks in a variety of ways by using the Filter Options tab.
Filters you create can also be saved for later use. For example, you can use a saved
filter to create an Assignment Rule.

Preventsys provides two preconfigured filters to get you started. You cannot
edit or delete these filters, but you can use them to create new filters.

Selective Remediation L1: This filter displays tasks with a priority between 91
and 100

Selective Remediation L2: This filter displays tasks with a priority between 81
and 100
173
Remediations
¾
To filter remediations
1
2

From the Preventsys menu, select Tasks > Remediation Tasks, then
select the Filter Options tab.

From the Preventsys menu, select Tasks > Remediation Update, then
select the Filter Options tab.

Enter data for the filter options you want to apply. All text string fields are
case sensitive
Note: To conduct wildcard searches, use an asterisk (*). For example, entering
comp* will return all asset names beginning with the letters comp such as
computer or company. Entering *comp* will return all asset names containing
the letters comp such as accompany.

3
On the Load Filter drop-down list, select the desired saved filter, then click
Load.
Click Apply Filter.
Note: A Manual Audit Task Violation is always associated with the first assessment
that finds it even if it is found by multiple assessments. Therefore, if you want to
search for Manual Audit Task Violations by Assessment Name, you will need to
know the name of the assessment that first found those violations.
174
Remediations
Saving Filters
You can select various filter options that will change the types of data displayed and
then save that filter for use later. For example, you can filter by remediations that are
associated with a specific asset.
¾
To save a filter
1

To create a new filter, in the Save as Filter text box, enter the filter's name
(400 characters maximum), then click Save and Apply Filter.

To create a new filter based on an existing filter, select the desired filter
from the Load Filter drop-down list, then click Load. Modify the filter
options as desired, change the loaded filter's name as desired, then click
Save and Apply Filter.
¾
To edit a saved filter
1
Select the filter's name from the Load Filter dropdown, then click Load.
2
Edit the filter options as desired
3
Click Save and Apply Filter.
Note: Remember that if you change the name of the filter you are editing, a new
filter with that name is created when you click Save and Apply Filter. The initial filter
you selected is not deleted or modified in any way.
¾
To delete a saved filter

Select the filter's name from the Load Filter dropdown, click Load, then
click Delete Filter. Deleting a saved filter does not alter the remediations
displayed.
Note: Deleting a filter that was used to create an assignment rule does not affect
the rule.
Viewing Different Columns of Data
From the Column View Options tab, you can select different columns of data to
view.
Note: Column options are not saved with filters. Saved filters use the default column
set.
175
¾
To choose a column
1
Remediations

From the Preventsys menu, select Tasks > Remediation Tasks, then
select the Column View Options tab.

From the Preventsys menu, select Tasks > Remediation Update, then
select the Column View Options tab.
2
Select the column data that you want to view.
3
Click Apply View Choices.
Viewing Details about a Remediation
You can view details about a remediation task by clicking on an Issue Name from the
Task Management tab, the My Tasks tab, or the Remediation console accessible
from Preventsys Security Risk Dashboard.
The Remediation Details screen provides in-depth information about a selected issue
(policy violation or vulnerability) and its remediation task.
This screen lists the issue name as well as information about its Severity, Priority,
Asset, IP Address, Data Found, Patch Status, Issue Status, and assigned
Remediator. The issue's description and a possible solution is also listed. A history
of all user comments and status changes, as well as changes Preventsys made to
the task are also displayed. Altering the task's severity based on a threat alert is an
example of a system change.
176
Remediations
Vulnerability Remediation Details
If the issue contains coalesced vulnerabilities, the descriptions and solutions will be
grouped by scanner name and the associated test ID and test name. In addition, if
some of the coalesced vulnerabilities were not found again during the latest
assessment, they are listed under Previously Found. If they were found (or found
again) during the latest assessment, they are listed under Found.
Figure 12: Sample Vulnerability Type Remediation Details Screen
177
Remediations
Violation Remediation Details
For remediation tasks generated from policy violations, the Remediation Details
screen also displays information about the associated policy if a source document
exists. A link to the policy is also provided. When selected, this link opens a new
browser window which displays the entire policy source document. The rule
associated with the remediation, is always displayed at the top of this window.
Figure 13: Sample Violation Type Remediation Screen With Policy
Reference Displayed
Verifying Remediation Tasks

A Remediation Task is verified by Preventsys when a subsequent assessment
using the same assessment configuration that found the associated policy
violation or vulnerability on an asset cannot find that same issue again on that
same asset. Note that Preventsys only attempts to verify Remediation Tasks
that are Unassigned, Unresolved, or Claimed Resolved. Remediations Tasks
that are Accepted Risk or False Positive are ignored.

To verify a policy violation remediation, you must rerun the same assessment
configuration that created it (that is same connector configuration, same
network group, same policy, same exclusion lists).

To verify a MAT violation remediation, you must rerun the same policy (can be a
different version of the policy) that created it using any assessment
configuration. When a MAT violation is verified, it remains associated with the
last assessment configuration that found it.

To verify a vulnerability remediation, you must you must rerun the same
assessment configuration that created it (that is same connector configuration,
same network group, same policy, same exclusion lists).
178
Remediations
Other Reasons Remediation Tasks Can Be Verified
It should be noted that there can be several reasons, other than that the associated
issue was actually fixed, as to why a violation or vulnerability was not found again.
For example, if the asset on which the vulnerability or violation was detected cannot
be found during the subsequent assessment, then the associated remediation task
will be automatically updated to Verified based on the absence of that asset. This
might happen if you modify the assessment configuration by selecting a different
network group that does not contain that asset, or if you modify the selected
network group such that it no longer contains the asset, or if you select an Exclusion
list or a Global Exclusion list is active that includes the asset.
For vulnerabilities, another reason might be if the connector check/test that found
the issue does not fire. This might happen if you modify the assessment
configuration by selecting a different connector configuration, or if you modify the
selected connector configuration such that it no longer performs that check/test.
For violations, another reason might be if the rule that found the issue does not fire.
This might happen if you modify the assessment configuration by deselecting the
policy that found the violation. This might also happen if you modify the rule such
that it no longer performs the same checks, update that rule in the policy, and then
modify the associated the assessment configuration so that it uses the new version
of that policy.
Verifying Remediation Tasks with Coalesced Vulnerabilities
As mentioned previously, if a remediation task contains coalesced vulnerabilities (that
is different connector types detect the same vulnerability for the same asset), the
descriptions and solutions will be grouped by scanner name and the associated test
ID and test name.
The information mentioned in the previous paragraphs about verifying Remediation
Tasks applies to Remediation Tasks with Coalesced Vulnerabilities with the
exception that each vulnerability must be verified by running an assessment using
the assessment configuration that found that particular vulnerability. Therefore, if
one vulnerability is verified, but the others are not, then the Remediation Task will
not be verified. All coalesced vulnerabilities must be verified for the Remediation
Task to be verified.
Verifying Remediation Tasks with Coalesced Violations
As mentioned previously, if a remediation task contains coalesced violations (that is
different connector types detect the same violation for the same asset). The
information mentioned in the previous paragraphs about verifying Remediation Tasks
applies to Remediation Tasks with Coalesced Violations with the exception that each
violation must be verified by running an assessment using the assessment
configuration that found that particular violation. Therefore, if one violation is verified,
but the others are not, then the Remediation Task will not be verified. All coalesced
violations must be verified for the Remediation Task to be verified.
179
Remediations
Working with Assignment Rules
Assignment rules allow Preventsys to automatically pre-assign remediation tasks
based on the conditions you specify. For example, you can create a rule that preassigns all tasks associated with a specific network group to johnsmith. Note that
you should make sure that johnsmith has the Remediations resource and associated
Resolve Remediations permission for all networks within the network group
specified for which you want him to be assigned tasks. Because Preventsys preassigns these tasks, you will still need to review and accept the assignment on the
Remediation Task Management screen before the tasks are officially assigned.
All assignment rule administration is conducted from the Assignment Rule
Management screen.
¾
To access the Assignment Rule Management screen

On the Preventsys menu, select Tasks > Remediation Assignment Rules.
The Assignment Rule Management screen appears.
From this screen, you can add new rules, edit existing rules, and delete rules. You
can also change the order in which Preventsys applies the rules.
Creating an Assignment Rule
Use Assignment rules to specify remediations that should automatically be assigned.
For example, you can create an assignment rule that assigns all tasks associated
with a specific network to the remediator you select.
Assignment rules can be created via the Remediation Task Management screen or
the Assignment Rule Manager screen, but can only be edited via the latter.
180
Remediations
Note: Remember that group resources and permissions are granted at the network
level. If you create a rule that specifies that all remediations for an asset should be
assigned to a specific remediator, then you should also make sure that that
remediator has the Resolve Remediations permission for all networks desired.
¾
To create an assignment rule
1
On the Preventsys menu, select Tasks > Remediation Assignment Rules,
then click Add New Rule. The Add Assignment Rule screen appears.
2

Select a saved filter to use from the Load Filter drop-down list

Enter the conditions upon which you want Preventsys to assign tasks in the
fields provided. For example, if you want all remediations associated with a
specific asset assigned to a specific user.
Note: Filters and rules are saved separately, therefore modifying the rule does
not alter the filter that was used to create the rule and visa versa.
3
In the Save as Rule text box, enter a name for the rule.
4
In the Assigned to drop-down list, select the user to which you want all of the
tasks that meet the criteria assigned.
5
181
Remediations
New rules are automatically applied to all unassigned remediation tasks as well as all
new remediations tasks. Existing rules are automatically reordered so that the new
rule is first.
Editing an Assignment Rule
When you edit an assignment rule, it is applied to new remediations tasks as well as
all existing ones that have not been assigned.
¾
To edit an assignment rule
1
then click Edit for the rule you want to modify. The Edit Assignment Rule
screen appears.
2
Edit the rule as desired.
Note: Remember that if you change the name of the rule you are editing, a new
rule with that name is created when you click Submit. The initial rule you
selected is not deleted or modified in any way.
3
Ordering Assignment Rules
You can specify the order in which you want Preventsys to apply Assignment Rules.
New rules are automatically ordered first. When you reorder rules, the new order is
automatically applied to all new remediations tasks as well as all existing ones that
have not been assigned.
On the Assignment Rule Management screen, click Up to move the rule up on the
list and click Down to move it down.
Deleting an Assignment Rule
When you delete an assignment rule, remediations tasks that have been assigned
are not affected. Because filters and rules are saved separately, deleting a rule does
not alter the filter that was used to create the rule and visa versa.
¾
To delete an assignment rule
1
then click Delete for the rule you wan removed. A confirmation pop-up box
appears.
2
Click OK to delete the rule.
182
Remediations
Updating Remediation Tasks
A remediation task can be resolved by changing its status to one of the following:
Claimed Resolved, False Positive, or Accepted Risk. Only tasks with the Claimed
Resolved status will be verified by Preventsys.
To verify a remediation task with the Claimed Resolved status, you must conduct an
assessment using the same assessment configuration that resulted in the initial
detection of the policy violation or vulnerability. If the assessment does not find the
policy violation or vulnerability, then Preventsys will automatically change the task's
status from Claimed Resolved to Verified.
You can change the status of False Positive and Accepted Risk tasks to Reassign,
which means that the task's status will be changed to Unassigned. The task can
then be reassigned via the Remediation Task Management screen. You can also
change their status to Claimed Resolved. Note that on Reports, a Claimed Resolved
task is treated the same as a Verified task.
You can use the Filter Options tab and the Column View Options tabs to control
which remediation tasks and what type of information is displayed. You can also
save the filters you create.
Figure 14: My Tasks screen filter options
183
Remediations
Figure 15: My Tasks screen column view options
Updating the Status of a Remediation Task
¾
To update the status of a remediation task
1
My Tasks tab if it is not already selected. Your assigned tasks are displayed.
Note: My Tasks displays all tasks assigned to you that are associated with hosts
that are within the range of your network permissions based on the groups to
which you belong, and all MAT violation type remediations assigned to you
regardless of your network permissions. This implies that if your network
permissions are changed such that you no longer have access to certain hosts,
then you will no longer see tasks associated with those hosts.
184
2
Remediations
For each task that you want to resolve, select the new status from the Change
Status drop-down list. The Issue Status column displays the current status of
each task.
a
To change several tasks to the same status, select the checkbox for each
desired remediation task, then selecting a new status at the bottom of the
screen in the With selected drop-down list. All checked remediations on
the page will be changed to the status you selected. If the status you
select is not valid for all tasks (for example, you select Reassign, which is
not a valid status change for tasks that are still unresolved), then only tasks
that can be changed to Reassign will be changed; the other tasks will be
ignored. The message, “Note: Some of the items you selected were not
valid for this operation.” will be displayed on the confirmation screen. See
Remediation Status Lifecycle (on page 166) for details about valid status
transitions.
b
To change all checked remediations on all pages to the same status, select
All on all pages.
3
To provide additional information about a task, enter your comments in the
Additional Comments text box.
4
To view all previous comments as well as additional details about the task, click
the issue's name. Remember that comments can include user comments and
status changes, as well as changes Preventsys made to the task. For example,
altering the task's severity based on a threat alert.
5
To save your changes, click Submit. If you changed the status of a task that is
also associated with an external remediation system, the new status for that
task is forwarded to the external remediation system.
Violation Coalescing
When two different scanners find the same violation, Preventsys coalesces these
into one violation. Coalescing helps reduce manual correlation, and since only one
remediation task is created, it helps reduce task management time as well.
Rules must be specifically written to allow for violation coalescing. For details about
which Preventsys rules allow coalescing, see the McAfee Preventsys Risk Analyzer
and Compliance Auditor Policy Reference Guide . For information about how to write
rules that allow coalescing, see the McAfee PolicyLab Product Guide.
Managing External Remediation Systems
The integration of your external remediation system, also referred to as a third-party
trouble ticketing system, with Preventsys will allow you to exchange and synchronize
the status of the remediation tasks generated by Preventsys.
Preventsys supports integrations with the following third-party trouble ticketing
systems:

BMC Remedy Action Request System (versions 4.5, 5.1, and 6.3)

Hewlett-Packard OpenView Service Desk (versions 4.5 and 5.1) - Only the latest
service pack for each version is supported
185
Remediations
For the integration to be successful, a data mapping must first be created that will
allow information to be transferred correctly between Preventsys and your third-party
trouble ticketing system. For details, see the third-party trouble ticketing system
integration guides available from McAfee Solution Services.
After McAfee Solution Services completes your mapping, follow the instructions in
this section for completing the integration within the Preventsys Administrative
Client.
¾
To access the External Remediation Systems Management
screen

From the Preventsys menu, select Tasks > External Remediation
Systems. The External Remediation Systems Management screen
appears.
From this screen, you can add new external systems, edit existing external systems,
and delete external systems.
The Add and Edit External Remediation System screens contain several fields, but
only the Name, Type, Host, and To and From System Mapping fields are required by
Preventsys. However, the remaining fields may be required by the external
remediation system, and therefore must be entered correctly for a successful
integration.
The Add and Edit Remediation System screens both feature a Test System function
that can be used to test the validity of the external remediation system's
configuration.
Adding an External Remediation System
Use the Add Remediation System function to integrated external remediation
systems Preventsys.
186
Remediations
¾
To add an external remediation system
1
From the Preventsys menu, select Tasks > External Remediation Systems,
click Add New System. The Add External Remediation System screen appears.
2
In the Name text box, enter the name you want to give the external remediation
system.
3
In the Type drop-down list, select the type an of remediation system you want
to use.
4
In the Host text box, enter the host name for the external remediation system.
5
In the Port text box, if required, enter the port number for the external
remediation system.
6
In the Form Name text box, if required, enter the form name for the external
remediation system.
7
In the Username text box, if required, enter the username for the external
remediation system.
8
In Password text box, if required, enter and confirm the password for the
external remediation system.
9
In the To System Mapping drop-down box, select the mapping you want used
when sending data from Preventsys to the external remediation system. If the
selected mapping is not valid, no task data will be exchanged.
10 In the From System Mapping drop-down box, select the mapping you want
used when sending data from the external remediation system to Preventsys. If
the selected mapping is not valid, no task data will be exchanged.
11 In the Description box, if required, enter a description for the external
remediation system.
12 To test whether Preventsys can exchange task data with the external
remediation system properly, click Test. If the test fails, you can still submit
your settings, but no tasks will be assigned to the associated external users until
the test is successful.
13 To save your settings, click Submit.
187
Remediations
Editing an External Remediation System
Use the Edit Remediation System function to modify previously configured external
remediation systems.
¾
To edit an external remediation system
1
click Edit for the system you want to modify. The Edit Remediation System
screen appears.
2
Edit the settings for the external remediation system as desired.
3
To test whether Preventsys can exchange task data with the external
remediation system properly, click Test. If the test fails, you can still save your
settings in Step 13, but no tasks will be assigned to the associated external
users until the test is successful.
4
Deleting an External Remediation System
Use the Delete Remediation System function to remove previously configured
external remediation systems.
An external remediation system cannot be deleted until all the selected system's
unresolved tasks (assigned tasks that have not been marked as Claimed Resolved,
False Positive, or Accepted Risk) are reassigned to users that are not associated with
the system being deleted.
¾
To delete an external remediation system
1
click Delete for the system you want removed. A confirmation pop-up box
appears.
2
To delete the system, click OK.
Managing External Remediation Users
After you configure your external remediation system, you need to add the users
from your external system to whom you want to be able to assign remediation tasks.
All external remediation user administration is conducted from the External
Remediation Users Management screen.
188
Remediations
Useful Terms
Please review the following terms before continuing with this section.

Non-Associated External Remediation User: A user from an integrated thirdparty remediation system that you have added to Preventsys. You can assign
tickets to this user from within Preventsys. In addition, this user is automatically
granted the Resolve Remediation permission for every network, which allows
you to assign any ticket to them regardless of the affected asset. This user can
only update the status of their tickets from within the external remediation
system.

Associated External Remediation User: A non-associated external
remediation user that has been associated with a Preventsys user. This user
automatically inherits the networks of the Preventsys user to which they are
associated. Therefore, you can only assign tasks for assets that are within the
range of the networks for which the Preventsys user has the Resolve
Remediation permission. In addition, this user can update the status of their
tickets from within the external remediation system or from within Preventsys.
See Associating an External Remediation User with a Preventsys User (on page
191) for details.
¾
To access the External Remediation Users Management screen

From the Preventsys menu, select Tasks > External Remediation Users.
The External Remediation Users Management screen appears. From this
screen, you can add new external users, edit existing external users, and
delete users.
Adding an External Remediation User
Use the Add External Remediation User function to add an external remediation
system user to Preventsys. You may also associate this user with a local or remote
Preventsys user if desired.
189
Remediations
Note: Some external remediation systems can accept tickets assigned to users that
do not exist in the external remediation system. If this is a concern, reconfigure your
external remediation system to only allow tickets assigned to users that exist within
that system.
¾
To add an external remediation user
1
From the Preventsys menu, select Tasks > External Remediation Users, then
click Add New User. The Add External Remediation User screen appears.
2
In the External Username text box, enter the username for the user in the
external remediation system that you want to add. Note that this name must
exactly match the username specified in the external remediation system.
3
In the External System drop-down list, select the desired external remediation
system.
4
To associate this username with a Preventsys user, select the desired
Preventsys user from the Preventsys User drop-down list. Otherwise, select
No Association.
Note: The Preventsys User dropdown list displays all Preventsys users who
have the Resolve Remediations permission regardless of the groups to which
they belong.
5
To verify that the username you entered is authorized to access the specified
external remediation system, click Verify. If the username in invalid, you can
still submit your settings, but no tasks will be assigned to the associated
external users until the test is successful.
6
190
Remediations
Associating an External Remediation User with a
Preventsys User
When you associate an external remediation system and user with a Preventsys
user, the external user is referred to as an Associated External Remediation User.
You will be able to assign tasks to this user for the assets that are within the range of
the networks for which the associated Preventsys user has the Resolve Remediation
permission. In addition, this user can update the status of their tickets from within
the external remediation system or from within Preventsys. See Managing External
Remediation Users (on page 188) for details.
If you have not added an external remediation system to Preventsys, see Managing
External Remediation Systems (on page 185) before continuing with this section.
¾
To add or modify an association with an external remediation
user

If you have not yet added the external remediation user you want to associate,
see Adding an External Remediation User (on page 189) for details about adding
an external user and associating them with a Preventsys user.

If you have already added an external remediation user, you can associate them
to a Preventsys user by doing one of the following:

Edit the external user. See Editing an External Remediation User (on page
192).

Edit the Preventsys user that you want to associate with the external user.
From the Preventsys menu, select Admin > Users. Click External
Association for the local or remote user you want to associate with an
external remediation user. The Associate External Remediation System
User screen appears. From this screen, you can select the external system
name and username you want associated with the Preventsys user. Click
Submit to save.
191
Remediations
Note: If you have an external remediation system configured in Preventsys, the
Associate External Remediation System User screen is automatically displayed
following the creation of a new local user.
The Remediation System and Remediation Username fields on the Associate
External Remediation System User screen only display systems and users that have
been added to Preventsys.
Editing an External Remediation User
Use the Edit External Remediation System User function to modify previously
configured external users.

If you disassociate a Preventsys user from an external remediation user, tasks
assigned to the external remediation user will remain assigned to that user.

If you change the username and external system for an external remediation
system user, all open remediation tasks assigned to the previous username and
external system will be reassigned to the new username and external system.
¾
To edit an external remediation user
1
click Edit for the user you want to modify. The Edit External Remediation User
screen appears.
2
Edit the user as desired.
3
To associate this username with a Preventsys user, select the desired
Preventsys user from the Preventsys User drop-down list; otherwise, select No
Association.
4
To verify that the username you entered is authorized to access the specified
external remediation system, click Verify. If the username in invalid, you can
still submit your settings, but no tasks will be assigned to the associated
external users until the test is successful.
5
192
Remediations
Deleting an External Remediation User
Use the Delete External Remediation System User function to remove previously
configured external users.

A non-associated external remediation user cannot be deleted until all of that
user's unresolved tasks (tasks that have not been changed to Claimed Resolve,
False Positive, or Accepted Risk) are reassigned. If you attempt to delete an
external remediation system user with open tasks pending, Preventsys will
display a message stating that all open tasks must be reassigned first. You can
use the Assign Remediation Tasks function described earlier in this chapter to
reassign the selected external user's open tasks.

If you remove an associated external remediation user from Preventsys, the
tasks assigned to that user will be assigned to the Preventsys user that was
associated with them.
¾
To delete an external remediation system user
1
click Delete for the user you want removed. A confirmation pop-up box
appears.
2
To delete the user, click OK.
Managing External Patch Management Systems
Preventsys can send remediation tasks to an external patch management system for
automated patching. This section describes the relevant systems and components
required to integrate Preventsys with an external patch management system as well
as how to integrate, configure, and send remediation tasks to a patch management
system.
Preventsys supports McAfee Hercules® Remediation Manager (Hercules) versions
4.2 and 4.5. To integrate Hercules with Preventsys, Preventsys must be granted
access to the Hercules web service ports (see Configuring the Hercules Server (on
page 194)), and the Hercules API must be installed on the HerculesServer (see
Installing the Hercules Web Service API).
About Automated Patching
Upon completion of an assessment, Preventsys will transmit the resulting
"vulnerability type" remediation tasks to the patch management system you
configured to determine which tasks it can automatically patch. Only assessment
results from scanners supported by the patch management system will be
transmitted. Preventsys will query all configured patch management systems when
determining if the remediations tasks are patchable. However, only one system will
actually be asked to make each patch.
193
Remediations
The remediation tasks determined by the patch management system to be patchable
are denoted by a special icon on the Remediation Tasks Management and
Remediation Task Update screens . The user can then select the remediation tasks
they want to be patched. These remediation tasks are sent to the patch
management system, and Preventsys monitors their progress during automatic
patching. When the patch has completed, the icon associated with remediation task
changes to denote the patched status. See Sending Requests to a Patch
Management System (on page 201) for details about these icons.
Configuring the Hercules Server
Preventsys communicates with Hercules via RPC XML/HTTP web service calls. The
Hercules server runs on Microsoft's Internet Information Services (IIS). The default
web site created during the Hercules install is called HerculesServer. For the
Preventsys requests to reach the Hercules web service, the HerculesServer web site
must allow anonymous connections access to the HTTP ports serviced by the
HerculesServer web site.
To enable anonymous access for HerculesServer
1
On the Windows taskbar, select Start > Programs > Administrative Tools >
Internet Information Services (IIS) Manager.
2
In the Internet Information Services (IIS) Manager, expand the folder for the
Hercules machine, which is usually the local computer.
3
Expand the Web Sites folder, then expand the Default Web Sites folder.
4
Right-click to select HerculesServer, then select Properties from the shortcut
menu.
Figure 16: The Internet Information Services (IIS) Manager
5
On the Properties window, select the Directory Security tab.
194
Remediations
6
In the Authentication and access control section, click Edit.
7
On the Authentication Methods window, select Enable anonymous access.
8
Click OK to save.
Figure 17: IIS Manager Authentication Methods
Note: If additional security is desired, you can configure the HerculesServer web
site to only accept connections whose source IP address is the Preventsys
Management Server. Additional IP addresses may be added as needed (such as
machines where the Hercules Administrator is running). Follow the instructions
provided with IIS for how to Configure IP Addresses and Domain Name Restrictions.
¾
To turn off HTTPS connections
Preventsys does not support HTTPS connections to the Hercules web services, so
you need to verify that this option is not enabled.
1
On the Windows taskbar, select Start > Programs > Administrative Tools >
Internet Information Services (IIS) Manager.
2
In the Internet Information Services (IIS) Manager, expand the folder for the
Hercules machine, which is usually the local computer.
3
Expand the Web Sites folder, then expand the Default Web Sites folder.
195
4
Remediations
Right-click to select HerculesServer, then select Properties from the shortcut
menu.
Figure 18: The Internet Information Services (IIS) Manager
5
On the Properties window, select the Directory Security tab.
6
In the Secure communications section, click Edit.
7
On the Secure Communications window, make sure the Require secure
channel (SSL) option is not selected.
8
Click OK to save.
Figure 19: IIS Manager Secure Communications
196
Remediations
Installing the Hercules Web Service API
Installation of HAPI requires that Hercules 4.2 or higher be installed and that the
installing user has administrative privileges. If the Hercules installation is distributed
in nature, the HAPI package should be installed on the device running the
HerculesServer web services.
¾
To install the Hercules API
1
Insert the McAfee Preventsys Risk Analyzer and Compliance Auditor for
Windows CD into the Management Server's CD-ROM.
2
Locate and then double-click hapi_Setup.exe. The Hercules Server API
Setup Wizard displays a welcome message.
197
Remediations
3
Click Next to continue.
4
Click I Agree to accept the license agreement and continue.
5
When the installation has completed, the Finish button will be activated.
6
Click Finish to quit the installer.
¾
To verify the Hercules API installation
1
Open your web browser and go to the following URL:
http://localhost/HerculesServer/hapi.asmx
198
2
Remediations
If the installation was successful, the following content is displayed within the
web browser.
Configuring the Patch Management System
Before you can send remediation tasks to a patch management system, you must
first add the patch management system to Preventsys.
¾
Adding an External patch management system
1
From the Preventsys menu, select Tasks > External Patch Management
Systems. The External Patch Management Systems screen appears.
199
Remediations
2
Click Add new system to add a new patch management system. The Add
External Patch Management System screen appears.
3
Enter the Name of the external patch management system.
4
Select a Type from the pull-down menu.
5
Enter a Username.
6
Enter a Password and confirm.
7
Enter the Web Service URL.
The Web Service URL identifies the URL or SOAP endpoint to the patch
management system. The default URL for Hercules is http://<server name
or ip address>/HerculesServer/hapi.asmx
8
Click Test System to test whether Preventsys can exchange data with the
patch management system.
If this test fails, verify the information you entered. You can still submit this
form if the test fails. However, Preventsys will not be able to send requests to
the patch management system until the test is successful.
9
Click Submit to save.
¾
Editing an External patch management system
1
2
Click the name of the patch management system that you wish to edit. The Edit
External Patch Management System screen is displayed.
3
Edit the patch management system’s configuration as desired.
4
Click Test System to test whether Preventsys can exchange data with the
patch management system properly.
If this test fails, verify the information you entered. You can still submit this
form if the test fails. However, Preventsys will not be able to send requests to
the patch management system until the test is successful.
5
Click Submit to save your changes.
200
Remediations
¾
Removing an External patch management system
1
2
Click Delete for the patch management system you wanted removed. A
3
Click OK to delete the patch management system.
Note: When a patch management system is removed that has returned the
Patching Available, Patching In Progress, or Cancelled statuses for remediation tasks
which are also still unresolved, Preventsys queries the remaining patch management
systems to determine if they can fix any of these remediations. If the patch
management system removed is the only patch management system configured,
then remediations with the Patching In Progress status, are changed to Manual
Intervention Required. All other statuses remain the same.
Sending Requests to a Patch Management System
The following patch statuses are displayed on the Remediation Task Management >
Tasks Assignment and Remediation Task Management > My Tasks screens. See
How Remediation Tasks Are Affected (on page 63) for details about what happens
when an assigned user is deleted during a patch.
Status Icon
Description
Patching Available. Automated patching is available. Tasks with
this icon can be sent to your patch management system.
Patching In Progress. Automated patching is in progress. Tasks
with this icon have been sent to your patch management system
and are being processed.
Manual Intervention Required. The patch management system
cannot fix this remediation task. Manual intervention is required to
complete this task.
Canceled. Automated patching was canceled by the patch
management system because it could not complete the request, or
because the system timed out. You can resubmit canceled tasks.
Successful. Automated patching was successful. If the
remediation task is Unresolved, Preventsys automatically changes
its status to Claimed Resolved.
¾
Sending a Remediation Request to the patch management
system
1
My Tasks tab.
2
Select the checkbox next to each task with a
the patch management system.
3
In the With All Selected dropdown, select Send to Patch Management
System.
201
icon that you want to send to
Remediations
If you selected tasks on multiple pages, select All on all pages to ensure that all
your selected tasks are sent.
4
Click Submit to send the selected tasks to your patch management system.
¾
To view patch details

You can view details about a remediation task that was sent to your patch
management system on the Remediation Details screen. See Viewing Details
about a Remediation (on page 176) for details.
202
Chapter 10
Manual Audit Tasks
Manual Audit Tasks (MAT) allow you to create, assign, track, and confirm manual
security tasks. Manual audit tasks allow for the support of policy rules that do not
lend themselves to traditional electronic solutions. For example, many security rules
are physical such as locking doors and ensuring that media is stored. In other cases,
an enterprise may wish to ensure that a backup was made of a database or other
external system that is not directly accessible to Preventsys. Manual audit tasks can
account for all these scenarios through the definition of custom tasks, which may
then be reported upon and tracked in Preventsys.
Manual audit tasks have two main stages Incomplete and Complete. A manual audit
task is considered Incomplete until it has both a schedule and at least one recipient.
Once a manual audit task has both of these, it is considered Complete.
Preventsys ships with a selection of predefined manual audit tasks, which cover a
wide range of common tasks. Some of these manual audit tasks also have
predefined schedules. You can create your own manual audit tasks to account for
additional scenarios.
All manual audit task administration is conducted from the Manual Audit Task
Management screen.
¾
To access the Manual Audit Task Management screen

From the Preventsys menu, select Tasks > Manual Audit Tasks. The
Manual Audit Task Management screen appears.
203
Manual Audit Tasks
Note: If there are tasks assigned to you, the My Tasks tab is displayed by default.
Otherwise, the By Task tab is displayed.
From the By Task tab on the Manual Audit Task Management screen, you can view
all Manual Audit Tasks rolled up by assignees. From this screen you can also add
new tasks, edit existing tasks, and delete tasks. Note that by default, tasks on this
screen are displayed in alphabetical order by name.
You can also use the Filter tab on the By Task and By Recipients views to filter tasks
by Resolved, Unresolved, Overdue, Future, and Incomplete.
Note: Filtering by Incomplete is only available on the By Tasks view. In addition,
selecting the Future filter option with any other option will display only those future
occurrences without a current occurrence. Selecting the Future filter option by itself
will display all future occurrences.
You can conduct the same functions on the By Recipients tab as you can on the By
Tasks tab. Use the By Recipients tab to view a list of all tasks. Note that by default,
tasks on this screen are displayed in alphabetical order by name.
204
Manual Audit Tasks
From the My Tasks tab on the Manual Audit Task Management screen, you view
details about the individual tasks assigned to you and resolve them.
Managing Manual Audit Tasks
All manual audit tasks have an Audit Task Name, a Directive, and an Asset Value.
The Directive represents a text description of the manual audit task, including what
the recipient must do to resolve the task. The Asset Value is the dollar value
assigned to those assets that are dependent upon the manual audit task. For a tasks
to be complete, it must also have recipients and a schedule. However, neither
recipients nor a scheduled is required to add the task.
All manual audit task schedules include a Due Date (or Start Date in the case of
recurring schedules) and an Assignment Date. The Assignment Date is the date
upon which the manual audit task is assigned to the specified recipients. Once the
Assignment Date is reached, the manual audit task becomes active and its status
can therefore be updated by the recipients. On this date, recipients are also sent
emails notifying them of the task. If the recipient does not change the manual audit
task's status to Resolved by the Due Date, Preventsys automatically changes the
task's status to Overdue.
Manual audit tasks can be assigned to individuals as well as groups. If one user in
the group changes the status of a task, all other instances of the task change to that
status as well.
205
Manual Audit Tasks
Preventsys will wait until a task has been assigned and has a schedule before
actually assigning it, and therefore allowing it to be seen and resolved by the
assignees. When a manual audit task is assigned that also has as schedule that can
be run immediately (that is, it is not a task scheduled in the future), Preventsys will
automatically generate email notifications informing the recipients that they have
manual audit tasks assigned to them. Recipients can then access and update the
status of their assigned manual audit tasks via the link provided in the email
notification. Note that users associated with external remediation systems will not
receive email notifications.
In addition to the initial assignment of new manual audit tasks, individual occurrences
of recurring manual audit tasks may be edited to add new recipients or delete
existing recipients.
Adding a Manual Audit Task
¾
To add a manual audit task
1
From the Preventsys menu, select Tasks > Manual Audit Tasks, then click
Add New Task. The Add Manual Audit Task screen appears.
2
In the Task Name, text box, enter the name you want to give the task (100
characters maximum, case insensitive, must be unique).
3
In the Directive text box, enter what the assignee should do to complete the
task.
206
4
Manual Audit Tasks
In the Asset Value text box, enter the replacement cost for the asset associated
with the task. If you do not enter a new value, $1500 is applied by default.
Note: If the Manual Audit Task is not related to a specific asset, the asset value
will still aid in penalizing Manual Audit Type Policy Violations in exposure and risk
calculations.
5
Under Selection, do one of the following:

To have the task run once on a date you specify, select Execute
Immediately, then, in the Start Date or Due Date text box, enter the date
(greater than today's date) on which the task should be completed. If you
do not select a different type of schedule, Schedule Once is applied by
default.
Note: Even though Preventsys will allow you to enter invalid dates such as
February 31, it will still calculate and schedule the task correctly. For example, if
you enter February 31, Preventsys will use February 28; the last day of that
month).

To have the task run more than once, select Recurring Schedule, then, in
the Start Date or Due Date text box, enter the date (greater than today's
date) on which you want the task to start.
Note: The Start Date, the date on which you want to make the schedule
effective, cannot be earlier than today's date. For example, if the start date is
today, Monday, and your schedule is every two weeks on Tuesday, then the first
occurrence will be tomorrow, Tuesday, and the second occurrence will be two
weeks from tomorrow on Tuesday.
6
Under Frequency, do one of the following:

To have the task occur daily, select Daily, then enter the number of days a
week the task should occur (for example, if the start date is on a Tuesday,
and the task is set to occur every 3 days, then it will occur on Tuesday,
Wednesday, and Thursday) or have the task occur everyday.

To have the task occur weekly, select Weekly, enter the number of weeks
between occurrences, then select the days of the week on which the task
should occur. For example, if you want the task to occur on Monday and
Tuesday every two weeks, enter 2 weeks for the interval and select
Monday and Tuesday.
207
7
Manual Audit Tasks

To have the task occur monthly, select Monthly, select the day of the
month on which the task should occur, enter the number of months
between occurrences, then select whether the task should occur on
weekdays (Monday-Friday) or every day (Monday-Sunday).

To have the task occur yearly, select Yearly, choose the month and day on
which the task should occur, then select whether the task should occur on
weekdays (Monday-Friday) or every day (Monday-Sunday).
In the Assign to Recipients, enter how many hours or days before the due date
the task should be assigned, then select an interval of either hours or days. If
you do not enter an assignment schedule, 1 hour will be applied by default.
Note: If the assignment date is earlier than today's date and recipients have
been assigned, the assignment is sent out immediately. For recurring
schedules, you cannot have an assignment date that will cause the next
occurrence to be assigned before the previous occurrence is due. In other
words, only one occurrence of a task can be assigned or active at a time.
8
To display the schedule you created, click Calculate.
9
Under Task Recipients, select the users and manual audit task groups that you
want assigned to the task.
Note: Only users that belong to groups with the Resolve MATs permission are
displayed in the Available Users list.
10 To save your settings, click Submit.
Editing a Manual Audit Task
When editing a Manual Audit Task, if you change the task's directive and the task
has a current occurrence, than an email notification is sent to the recipients.
If the task had a schedule and recipients and you delete either of these, then the task
becomes Incomplete and all current and future occurrences are canceled. In
addition, if the task has a current occurrence, an email notification is sent to each
recipient whose task state is Unresolved notifying them that they are no longer
responsible for the task.
208
Manual Audit Tasks
When editing a task's schedule, if the task has a current occurrence and you
changed the due date, then an email notification is sent to recipients telling them
that the schedule has changed. If you change the assignment date to be later than
today's date, the current occurrence will go away and be replaced by a future
occurrence. An email notification will be sent to each recipient whose task state is
Unresolved notifying them that they are no longer responsible for the current
occurrence of the task.
When editing a task's recipients, if a recipient is deleted then that recipient is deleted
from both the current and any future occurrences of the task. If the recipient's
status for the current occurrence of the task is Unresolved, they will receive an email
notification notifying them that they are no longer responsible for the task.
¾
To edit a manual audit task
1
From the Preventsys menu, select Tasks > Manual Audit Tasks, then click
Edit for the task you want to modify. The Edit Manual Audit Task screen
appears.
2
Modify the task's information, schedule, and recipients as desired.
3
Deleting Manual Audit Tasks
When you delete a manual audit task, you delete the actual task.
Note: You cannot use the Delete function to delete individual occurrences (either
current or future, assigned or not assigned) of a task.
When a task is deleted, all current and future scheduled occurrences of the task are
automatically canceled. If the task has a current occurrence, then an email
notification is sent to each recipient whose task state is Unresolved notifying them
that they are no longer responsible for the task. Task states in the Resolved or
Overdue state are not affected.
¾
To delete an manual audit task
1
On the Manual Audit Task Management screen, click Delete for the task you
want removed. A confirmation pop-up box appears.
2
Click OK to continue or Cancel to quite.
3
If you selected OK, Preventsys deletes the selected task and all its scheduled
occurrences.
Updating Manual Audit Tasks
Once a manual audit task is Complete (has both a schedule and at least one
recipient) and its assignment date has passed, its current occurrence can be viewed
and its status updated by the recipient(s). The status of Future Tasks (occurrences of
tasks for which the assignment date has not yet passed), cannot be updated. Once
a task is Overdue, it cannot be resolved.
209
Manual Audit Tasks
Updating the Status of a Manual Audit Task
¾
To update the status of a manual audit task assigned to you
1
From the Preventsys menu, select Tasks > Manual Audit Tasks, then select
the My Tasks tab. All tasks assigned to you are displayed.
To remove some of the tasks from your view temporarily, select the Filter tab,
then select the desired options.
2
In the Status column, click Unresolved to change the status of the desired task
to Resolved. This task cannot be undone.
3
To save your updates, click Submit.
Manual Audit Task Email Notifications
Preventsys will send email notifications to recipients about their manual audit tasks
whenever the following conditions are met.

An email notification will be sent to the manual audit task recipients on the
Assignment Date of each occurrence of a recurring task or on the first
occurrence of a single occurrence task.

An email notification will be sent to the manual audit task recipients when the
Task Directive of a Complete Task is changed if there is a Current Occurrence.

An email notification will be sent to the manual audit task recipient(s) when a
Complete Task is changed to an Incomplete Task.

An email notification will be sent to the manual audit task recipient(s) when a
Complete Task is deleted.

An email notification will be sent to the manual audit task recipient(s) when the
schedule of a Complete Task is changed such that the Assignment Date is later
than today's date.

An email notification will be sent to the manual audit task recipient(s) when the
due date of a task for which there is a Current Occurrence is changed.
Managing Manual Audit Task Recipient Groups
Manual audit tasks can be assigned to individuals as well as groups. A group can
have as many members as desired, but must have at least one member. Note that
Preventsys will wait until a task has been assigned and has a schedule before
actually assigning it, and therefore allowing it to be seen and resolved by the
assignees. When one user in the group changes the status of a task, all other
instances of the task change to that status as well.
All administration for Manual Audit Recipient Groups is conducted from the Manual
Audit Task Recipient Groups Management screen.
¾
To access the Manual Audit Task Recipient Groups Management
screen

From the Preventsys menu, select Tasks > Manual Audit Recipient Groups.
The Manual Audit Task Recipient Groups Management screen appears.
210
Manual Audit Tasks
From the Manual Audit Task Recipient Groups Management screen, you can add
new groups, edit existing groups, and delete groups.
Adding a Recipient Group
¾
To add a recipient group
1
From the Preventsys menu, select Tasks > Manual Audit Recipient Groups,
then click Add New Group. The Manual Audit Task Recipient Group screen
appears.
2
In the Group Name text box, enter the name you want to give the group.
3
In the Description text box, enter a description of the group if desired.
4
Under the Group Users section, select the available users that you want to be
members of this group.
211
Manual Audit Tasks
Note: Only users that belong to groups with the Resolve MATs permission will
be displayed in the Available Users list.
5
Click Submit to save the new recipient group.
Editing a Recipient Group
Deleting a member from a group will delete that member from all current
occurrences and any future occurrences of the Manual Audit tasks to which the
group is assigned. If the member's status for any current occurrences was Overdue
or Resolved before they were deleted, the member will be displayed on the Manual
Audit Tasks screen when Complete Tasks and Recipient view is selected. The
deleted member will no longer be able to update tasks to which the group they
belonged to was assigned.
¾
To edit a recipient group
1
then click Edit for the group you want to modify. The Edit Recipient Groups
screen appears.
2
Edit the recipient group as desired.
3
Deleting a Recipient Group
Deleting a Recipient Group will remove that group from all current occurrences and
any future occurrences of tasks to which it is assigned. Members will no longer be
able to update tasks to which the group was assigned. Members, whose status was
Overdue or who changed the status of any current occurrences of their tasks to
Resolved before the group was deleted, will be displayed on the Manual Audit Tasks
screen when Complete Tasks and Recipient view is selected.
¾
To delete a recipient group
1
then click Delete for the group you want removed. A confirmation pop-up box
appears.
2
To delete the recipient group, click OK.
212
Manual Audit Tasks
Understanding Manual Audit Task Rules and Policy
Violations
Manual Audit Tasks may also be incorporated into policies via the PolicyLab Client
using special Manual Audit Task Rules. In this manner, Manual Audit Tasks may be
used to generate Manual Audit Task Policy Violations that can be tracked through
remediation tasks. A Manual Audit Task Rule can conduct the following checks
based on how it is configured: Configuration Check, Schedule Integrity Check, an
Recipient Status Check. See the McAfee PolicyLab Product Guide for details about
working with Manual Audit Task Rules.
Figure 20: Sample Manual Audit Task Rule screen from PolicyLab
Item
Description
1
Configuration check
2
Schedule integrity
3
Recipient status check
Manual Audit Tasks do not require a schedule or recipient assignments to be used in
Manual Audit Task rules and policies. The Manual Audit Task Policy Violations
generated by Manual Audit Task Rules will be included in the following reports:
Executive Summary Standard and Trending, Task Standard and Trending Report,
Exposure Overview Report, Task Recipient Standard and Trending, and Task Aging
Summary.
213
Manual Audit Tasks
Verification of Manual Audit Task Policy Violations
When a Manual Audit Task Rule fires because the criteria set by it are not met by the
associated Manual Audit Task, the result is a Manual Audit Task Policy Violation. This
policy violation is always associated with the latest assessment that finds it even if it
is found by multiple assessments. This is important to note when filtering by
Assessment Name on the Remediation Task Management screen.
To verify a Manual Audit Task policy violation, you must rerun the same policy (can
be a different version of the policy) that created it using any assessment
configuration.
It is also import to note that Preventsys looks at the state of Manual Audit Tasks
when an assessment starts. Therefore, even if you modify a Manual Audit Task such
that it should not fire a Manual Audit Task Policy Violation (for example, you make
sure it is assigned, scheduled, and not overdue), that Manual Audit Task can still
cause a Manual Audit Task Policy Violation to be created or reopened. This can
happen if you modified the Manual Audit Task after the start of an assessment that
uses a policy which contains the associated Manual Audit Task Rule. If this occurs,
rerun your assessment, and the Manual Audit Task Policy Violation will be verified.
Note: If you delete a Manual Audit Task that is associated with a Manual Audit Task
Rule, the Manual Audit Task Rule may still produce a configuration violation which
will affect your compliance percentage in reporting.
214
Chapter 11
Security Risk Dashboard
Use the Security Risk Dashboard to get quick, simple access to the information you
need and the application controls used most frequently. If you have the Preventsys
Threat Intelligence feature, you can also receive timely, actionable and
comprehensive security analysis and notification about the latest cyber threats,
including the threats and vulnerabilities that affect your networks the most and
overall exposure levels. The Security Risk Dashboard also provides a snapshot of
policy compliance and the top outstanding remediation tasks, as well as your
personal task list.
The Security Risk Dashboard is comprised of the following consoles. Details about
each console are provided in this chapter.

Enterprise Console

Exposure Console

Compliance Console

Threat Console

Remediation Console

Assessment Console
The Dashboard is displayed when you log on to Preventsys. Click the Preventsys
logo or select Home from the main menu during any operation to return to the
Dashboard.
215
Much of the data displayed on the Dashboard is based on the results of
assessments. You can specify the assessment data you want displayed as well as
ignored using the Enterprise Group feature. See Managing Enterprise Groups (on
page 233) for details.
Item
Description
1
Click on logo to return to the Dashboard
2
Enterprise Compliance Console
3
Enterprise Trending Console
4
Exposure Console
5
Network Group Compliance Console
6
Threat Console
7
Remediation Console
8
Assessment Console
216
Working with the Enterprise Console
The Enterprise Compliance and Enterprise Trending portlets are scaled-down views
of the Enterprise Group Summary report, which you can access quickly by clicking on
either of these portlets. The data displayed in these portlets is filtered based on the
active Enterprise Group.
217
Working with the Exposure Console
On the Exposure console, you can view a snapshot of the current exposure of your
networks based on current vulnerabilities, the financial impact and operational impact
of the affected assets, and severity of those vulnerabilities. The data displayed in
this console is filtered based on the active Enterprise Group.
Clicking on the Exposure graph will display the Exposure Summary report, which
provides additional trending details about your exposure.

Exposure: An enlarged view of the graph displayed on the Exposure console.

Issues and Remediations over Time: Presents the number of issues over
time.
218

Average Resolution Time: Presents the average resolution time of assigned
remediation tasks over time. Resolution time is the difference between the
time the task was assigned to a remediator and the time its status was changed
to Claimed Resolved, False Positive, or Accepted Risk.
219
Working with the Compliance Console
The Compliance portlet provides snapshots of analyses which you have promoted to
the Dashboard via the Comparative Compliance Report. Note that the promoted
view will always show the most recent data for the selected analysis families.
Therefore, if the user attempts to promote different analyses from the same analysis
family on the Comparative Compliance report, they will only see the most recent in
the Compliance portlet. Clicking on one of the charts in the portlet opens the
Comparative Compliance report with all the promoted assessments displayed. You
can promote additional assessment via this report as well as delete currently
promoted ones by selecting the Dashboard+ and Dashboard- buttons, respectively.
Working with the Threat Console
The Threat console is only available if a threat feed URL was specified during
configuration. See the McAfee Preventsys Risk Analyzer and Compliance Auditor
Installation Guide for details. This subscription service is a near real-time information
feed that provides actionable information for all aspects of the threat horizon - from
vulnerability announcements to patches, to exploit code and global port scanning,
through virus announcements and variants.
Preventsys combines the external intelligence of different sources of information in a
way that can be automatically associated to knowledge about your corporate
network's current security posture. This information contains technical and
descriptive information and analysis, remediation actions, and threat rules that can be
directly applied to your network to pinpoint problems; often before a signature file is
available for a scanner. The Threat Intelligence Connector feed includes vendor
vulnerability announcements, as well as information from sources like CVE, Open
Source Vulnerability Database, subscription intelligence services, and Preventsys'
own in-house security experts.
All of this results in prioritized and actionable remediation tasks based on threat
severity and your exposure to it for your highest valued asset.
Threat alerts are categorized into the following categories:

Actionable: By reviewing network assessment results, Preventsys
determined that at least one of your assets is vulnerable to this threat alert. As a
result, remediation tasks associated with this threat are associated with the
threat alert. As long as at least one remediation task associated with the threat
remains unresolved, the threat itself will remain Actionable.
220

Remediated: All remediation tasks associated with this actionable threat
alert were fixed, and therefore your related assets are no longer vulnerable.

Non-Actionable: Preventsys determined that your assets are not
vulnerable to this threat alert.
Viewing the Latest Threat Alerts
From the Threat console, you can view a list of the latest five threat alerts by clicking
on the Latest Threats tab. The latest five threat alerts are displayed and ordered by
the date received, and then by severity.
Viewing the Top Threat Alerts
From the Threat console, you can view a list of the latest five threat alerts that
Preventsys has determined would put your networks at risk of exposure by clicking
on the Top Threats tab. These types of threat alerts are considered actionable.
Because each actionable threat alert is associated with a remediation task, you can
prioritize and track their resolution. If there are no actionable threats, then the latest
threats are displayed.
Viewing All Threat Alerts
From the Threat console, you can view all threat alerts received to date by clicking on
the Details tab ». All threat alerts received are displayed, ordered by date, and
filtered to show the last 30 days of data based on the date of the latest threat alert
received. There is no additional filtering based on Enterprise Group (see Filtering the
List of All Threat Alerts (on page 223) for details about filtering based on Enterprise
Group).
You can change the filter to show any range desired, but note that larger ranges may
take longer to calculate and display. The All Threats screen also displays the number
of threats out of the possible number of threats that exist. Note that this number
reflects the 30-day filter. Select the Filter Options tab to specify a new filter.
¾
To access the All Threats screen

From the Threat console, select >>. The All Threats screen appears.
221
Note: A "Connection failure" message will be displayed in the top left-hand
corner of the screen if the system cannot receive the latest threat feed.
How Threat Alerts Affect Remediation Tasks
When actionable threat alerts are identified, Preventsys automatically reviews the
current set of remediation tasks to determine if there is a similar task, which
addresses the vulnerability. If it finds such a task that does not have the Verified
status, it alters that task's severity and adds details about the threat to its description
and solution as needed.
222
How Severity Is Adjusted By Threat Alerts
The severity of a Vulnerability type remediation is determined by the severity set by
the scanner that detected that vulnerability. The severity of remediation tasks
associated with threats can be adjusted (raised or lowered) based on several things.
Each time the severity or the lifecycle phase of a threat alert, which is associated
with a remediation task increases or advances, the severity of that remediation task
increases. Each time the severity or the lifecycle phase of a threat alert, which is
associated with a remediation task decreases, the severity of that remediation task
decreases. When a threat alert is associated with a remediation task for the first
time, the severity of that remediation task will increase.
In addition, a remediation task's severity can be adjusted by an Exposure rule. See
the McAfee Preventsys Risk Analyzer and Compliance Auditor Policy Reference
Guide for a list of exposure rules.
Filtering the List of All Threat Alerts
You can filter the list of all threat alerts in a variety of ways by using the Filter
Options tab. Filters you create can also be saved for later use.
Note: The list of all threats is automatically filtered to show the last 30 days. To
view another date range, simply enter a starting and ending date in the Date fields.
Please note that larger ranges may take longer to calculate and display.
¾
To filter the threat alert list
1
From the Threat Alert console, select >>, then select the Filter Options tab.
223
2
3

Enter data for the filter options you want to apply. All text string fields are
case sensitive.

On the Load Filter drop-down list, select the desired saved filter, then click
Load.
Click Apply Filter.
Note: To conduct wildcard searches, use an asterisk (*). For example, entering
comp* will return all asset names beginning with the letters comp such as computer
and company. Searching for *comp* will return all asset names containing the
letters comp such as accompany.

To see all actionable threats, under Status, select Actionable. To see only
threats related to the Enterprise Group, under Enterprise Group select
Actionable. See Managing Enterprise Groups (on page 233) for details.

To view remediated threats as well as partially remediated threats (actionable
threats), under Status, select Remediated.
Note: If a remediation task associated with a threat remains unresolved, the threat
remains Actionable.
Saving a Filter
You can create and save select various filter options that will change the types of
data displayed. For example, you can filter by actionable threats.
Note: Column settings are not saved with a filter.
¾
To save a filter
1
From the Filter Options tab, do one of the following:

To create a new filter, in the Save as Filter text box, enter the filter's name
(400 characters maximum), then click Save and Apply Filter.

To create a new filter based on an existing filter, select the desired filter
from the Load Filter drop-down list, then click Load. Then, modify the filter
options and change the loaded filter's name as desired, then click Save and
Apply Filter.
¾
To edit a saved filter
1
From the Filter Options tab, select the filter's name from the Load Filter
dropdown, then click Load.
2
Edit the filter options as desired.
Note: If you change the name of the filter you are editing, a new filter with that
name is created when you click Save and Apply Filter. The initial filter you
selected will not be deleted or modified.
3
Click Save and Apply Filter.
224
¾
To delete a saved filter
1
From the Filter Options tab, select the filter's name from the Load Filter
dropdown, then click Load.
2
Click Delete Filter.
Viewing Different Columns of Data for All Threat Alerts
You can choose different columns of data to view for the list of all threat alerts by
using the Column View Options tab.
Note: Column options are not saved with filters. Saved filters use the default
column set.
¾
To choose a column
1
From the Threat console, select >>, then select the Column View Options tab.
2
Select the data that you want to show.
3
Click Apply View Choices.
4
The list of threat alerts appears with the data you selected.
Viewing Details about a Threat Alert
From the Threat console, you can view details about a threat alert.
¾
To view details about a threat alert
1
From the Threat console, click the name of a threat alert.
2
Select individual tabs to view detailed information about the threat alert.
225
Main Tab
The Main tab displays the description of the threat alert.
226
Threat Lifecycle Tab
The Threat Lifecycle tab displays a graph that shows the current phase the threat is
at within the threat lifecycle: Advisory, Exploit Discovered, and Threat Active in Wild.
Note that these phases can occur in any order. Each of these phases has an
associated probability of incident (likelihood that you will be affected if the threat is
actionable).
The following events are also displayed on the threat lifecycle graph:

At Risk: The date it was determined that your network was at risk of
exposure from the threat.

Patch Available: The date it was determined that your network was no
longer at risk of exposure from the threat.

Fixed: The date it was determined that your network was no longer at risk
of exposure from the threat.
227
Exposure Tab
The Exposure tab displays a graph that depicts the system's exposure based on the
financial and operational impact on the affected assets based on this threat.
Assets Tab
The Assets tab displays the number of assets at risk for this threat. This means the
number of assets to which the system was able to correlate the threat. Also
displays each asset's financial and operational impact.
228
Note: If you are a member of the Super User group, then all assets are displayed.
Otherwise, only assets within the range of the network permissions of the groups to
which you belong are displayed.
Tasks Tab
The Tasks tab displays the remediation tasks associated with the threat.
229
Note: If you are a member of the Super User group, then all applicable remediation
tasks are displayed. Otherwise, only applicable remediation tasks associated with
hosts that are within the range of the network permissions of the groups to which
you belong are displayed.
Viewing Assets Details
The Asset Summary screen displays the issues (vulnerabilities and policy violations)
as well as service information for the asset. To access this screen, click an asset's
name or IP address in any area where these fields are active. For example, select
the Threat Details > Assets tab, and then select the desired asset's Name or IP
Address.
230
Note: If you are a member of the Super User group, then all tasks are displayed.
Otherwise, only tasks are associated with hosts that are within the range of the
networks to which you are associated via your user group(s).
If an issue contains coalesced vulnerabilities, the descriptions and solutions for that
issue will be grouped by scanner name and the associated test ID and test name. In
addition, if some of the coalesced vulnerabilities were not found again during the
latest assessment, they are listed under Previously Found. If they were found (or
found again) during the latest assessment, they are listed under Found.
Working with the Remediation Console
The Remediation console displays a Latest Tasks tab and a My Tasks tab. From
these tabs, you can access the Remediation Management and Remediation Update
screens. See Remediations (on page 165) for details about the remediation
management. To view details about a remediation task, click a task's name (see
Viewing Details about a Remediation (on page 176)).
Latest Tasks
The Latest Tasks console displays the five latest remediation tasks with a status of
Unassigned, Assigned, False Positive, or Accepted Risk, listed in descending order
by date found, followed by priority in descending order, followed by Issue ID in
ascending order. This list can be additionally filtered by the active Enterprise Group.
231
Note: If you are a member of the Super User group, then all applicable remediation
tasks are displayed. Otherwise, only applicable remediation tasks associated with
hosts that are within the range of the network permissions of the groups to which
you belong are displayed.
Select the details tab » to view the Remediation Management screen where you
can view and assign the task as well as view its status. Note that tasks are
automatically filtered by the active Enterprise Group when the Remediation
Management screen is accessed in this way.
Note: You might see MAT Rule Violation tasks with the same name displayed more
than once in Latest Task portlet. However, after viewing the descriptions for the
tasks, you will see that they are unique tasks. This can happen if, for example, the
MAT schedule does not match the schedule specified in the MAT Rule, and the task
is overdue. In this case, two remediation tasks are generated: one task with the
description, “Your manual audit task is missing either a schedule or a user”; and one
with the description specified by the rule (for example, "You must review your
Security Policy").
My Tasks
The My Tasks console displays the five highest priority tasks in descending order by
date found, assigned to you (the logged in user), that have a status of Assigned,
False Positive, or Accepted Risk. Select the details tab » to view the Remediation
Update screen where you can update the status of your tasks.
Working with the Assessment Console
The Assessment console presents the latest assessments conducted. Assessments
that have been hidden are not displayed (see Hiding and Un-hiding Assessment
Statuses (on page 144)). To view all assessments, select the details tab ».
Note: If you are a member of the Super User group, then all applicable assessments
are displayed. Otherwise, only applicable assessments associated with network
groups made up completely of networks that are within the range of the network
232
To view details about an assessment, click View Details for the desired
assessment.
Managing Enterprise Groups
Use an Enterprise Group to specify which assessment configurations you want
Preventsys to include results from and which ones you want ignored. For example,
if you create a test network and do not want assessment data from it displayed or
utilized. You can create an enterprise group that does not include any of the
assessment configurations associated with that test network.
When an Enterprise Group is activated, Preventsys selects the latest analysis for
each policy/network group combination from the latest version of each assessment
configuration in the active Enterprise Group, and then only uses those analyses that
correspond to the policies currently selected in those assessment configurations.
For example, create an assessment configuration with two policies. When that
assessment configuration is run, it will result in two analyses (one for each policy).
Now edit that assessment configuration such that only one of those policies is now
selected. Preventsys will now only use the analysis associated with the policy that is
still selected. If both policies are unselected, then no analyses are used.
If you do not have an active Enterprise Group, Preventsys will use the results from
the latest analysis for each policy/network group combination from the latest version
of each assessment configuration in the system verses just a subset defined in an
enterprise group.
Several areas in Preventsys are Enterprise Group Centric, and therefore use the
query described in the previous paragraphs to determine what data is displayed as
well as what data is used in calculations whose results are displayed. The following
areas are considered enterprise group centric.

Top Threats: Actionability is determined base on enterprise group

Latest Threats: Actionability is determined base on enterprise group

All Threats: Actionability is determined base on enterprise group (filter option
available to see actionability not based on enterprise group)

Threat Details Exposure Tab: Graph calculated based on enterprise group

Latest Tasks: Tasks displayed based on enterprise group

Asset Summary: Tasks displayed based on enterprise group

Enterprise Group Summary Report: Calculated based on enterprise group;
includes the Enterprise Compliance pie chart and trending graph on the
Dashboard

Exposure Summary: Calculated based on enterprise group; includes the
Exposure graph on the Dashboard
All enterprise group administration is conducted from the Enterprise Groups
Management screen.
233
¾
To access the Enterprise Groups Management screen

From the Preventsys menu, select Assessments > Enterprise Groups.
The Enterprise Groups Management screen appears.
From the Enterprise Groups Management screen, you can add new groups, copy and
edit existing groups, activate a group, and delete groups.
Note: If you are a member of the Super User group, then all enterprise groups are
displayed. Otherwise, only enterprise groups, made up completely of assessment
configurations, associated with network groups, made up completely of networks
Creating an Enterprise Group
Create an enterprise group when you want to define which assessments Preventsys
will use to display data on the Dashboard. You can create multiple enterprise groups,
however only one group can be active at a time. Remember that if you do not create
and activate your own enterprise group, Preventsys will use all assessments as the
default.
When an enterprise group is activated, only the latest analysis for each
policy/network group combination from the latest version of each assessment
configuration in the enterprise group are utilized.
234
¾
To add an enterprise group
1
From the Preventsys menu, select Assessments > Enterprise Groups, click
Add Enterprise Group. The Add Enterprise Group screen appears.
2
In the Group Name text box, enter the name you want to give the group (100
characters maximum, must be unique).
3
In the Description text box, enter a description for the group (256 characters
maximum).
4
Under Assessment Configurations, select the available assessment
configurations that you want in the enterprise group.
configurations are displayed. Otherwise, only assessment configurations
displayed.
5
To save your settings, click Submit. Remember that you must activate the
group before it can be utilized.
Editing an Enterprise Group
¾
To edit an enterprise group
1
Edit for the group you want to modify. The Edit Enterprise Group screen
appears.
2
Edit the group as desired.
3
235
Activating and Deactivating an Enterprise Group
After you create an enterprise group, it must be activated before it will can utilized by
Preventsys. Remember that you can create multiple enterprise groups, however
only one group can be active at a time. If you do not activate an enterprise group,
Preventsys will use all the assessments as the default.
¾
To activate or deactivate an enterprise group
1
Activate for the group you want activated. A confirmation pop-up box appears.
2
To active the group, click OK. The group is activated, the icon changes color,
and the Activate option changes to Deactivate. The data displayed on the ES
Dashboard will now be filtered by this group.
3
To deactivate a group, click Deactivate for the group you want deactivated. A
4
To deactivate the group, click OK.
236
Chapter 12
Reports
Preventsys provides many reports that allow you to view the state of your networks
with respect to policy violations, vulnerabilities, remediation tasks, and general
compliance on a per analysis basis. An analysis is generated after an assessment
has completed and will only be created if a policy was selected.
An assessment generates one analysis for each policy applied to the assessment, so
a single assessment can potentially generate multiple analyses. The analysis
includes facts found about the assets assessed as well as policy violations and
vulnerabilities. Each Analysis includes the assessment configuration name, policy
name and version, network group, and a date and time indicating when the
assessment was performed. Many of these reports also provide trending data
between two like analyses (analyses that used the same assessment configuration).
Report Types
The following are brief summaries about the different reports offered in Preventsys.
For details, refer to their individual sections in this chapter.

Executive Summary: The Executive Summary reports provide a detailed
overview of the assessed network group with differential trending analysis. This
is an ideal starting point for reviewing new assessment results. The Asset
Details reports can also be accessed from this report by clicking on a specific
asset

Enterprise Group Summary: The Enterprise Group Summary report,
accessible via the Executive Compliance and Enterprise Trending Dashboard
consoles, is enterprise group centric and therefore shows the aggregated results
based on the active enterprise group (see Managing Enterprise Groups (on page
233)).

Administrator: The Administrator overview lists all administrators, providing
the email address and network group assignments for each.

Network Group: The Network Group reports provide detailed information
about the network groups included in the selected assessment.

Network: The Network reports provide in-depth information about a selected
network, including a table listing all assets on the selected network, along with
their IP addresses, operating systems, number of policy violations, and number
of vulnerabilities. This is an ideal report for reviewing the status of an individual
network.

Assets: The Assets reports are similar to the Network reports except you can
filer the report by a specific host in the network group. The Asset Details report
can also be accessed from this report.
237
Reports

Asset Details: The Asset Details reports provide detailed information about a
selected asset, listing its IP address, operating system, network association,
administrators, services, policy violations, and vulnerabilities. This is the
definitive report for reviewing the status of an individual asset. The
Chronological View report can also be accessed from this report.

Chronological View: The Chronological View (accessible from the Asset
Details Standard Report) provides detailed information about scan analysis,
vulnerability history, administrator history, and network association specific to a
selected asset. This is an ideal report for reviewing the history of an individual
asset.

Operating System: The Operating System reports provide in-depth information
about all assets utilizing a selected operating system in the assessed network
group. This is an ideal report for reviewing the status of all assets running a
selected operating system.

Task: The Task Standard and Trending reports provide snapshot and trending
information about all remediation tasks addressing policy violations and
vulnerabilities in the assessed network group. This is the definitive report for
tracking remediation status and effectiveness.

Task Aging Summary: The Aging Summary provides information about
remediation tasks that are overdue, the number of days since found, and the
number of days since assigned using the enterprise group.

Task Rollup by Violation and Vulnerability: The rollup reports provide
information about the number of vulnerability type and violations type
remediations per network group using the enterprise group.

Task Recipient: The Task Recipient reports provide current information about
the status of remediation tasks assigned to specific administrators.

Compliance: The Compliance report presents basic compliance data derived
from the number of violations, rules, and assets associated with the selected
analysis.

Comparative Compliance: The Comparative Compliance report allows you to
compare multiple analyses, and review multiple report/analysis combinations at
once.

Exposure: The Exposure report identifies how long individual vulnerabilities and
policy violations were active on the assessed network group. This is a critical
report for analyzing the potential risk associated with detected policy violations
and vulnerabilities.

Services: The Services reports provide in-depth information about all services
detected on the assessed network group, identifying all assets running the
selected service. This is an ideal report for reviewing the usage of a particular
service.
238
Reports
Working with the Report Filter
Use the Report Context, which appears at the top of most reports, to select the
analysis for which you want to view information. Use the Report Context Filter to
filter the list of analyses displayed in the Report Context. An Analysis is generated
after an assessment is run. An assessment will generate one Analysis for each
policy applied to the assessment, so a single assessment can potentially generate
multiple Analyses. Each Analysis includes the assessment configuration name,
policy name and version, network group, and a date and time indicating when the
assessment was performed.
Note: An analysis always includes a policy. Therefore, if you do not select a policy
when you configure your assessment, the results of that assessment will not be
displayed in the Report Context.
Preventsys automatically sets the defaults for the Report Context and the Report
Context Filter based on the latest analysis conducted.
Figure 21: Sample report context for a standard report
Note: If you are a member of the Super User group, then all applicable assessments
are displayed. Otherwise, only applicable assessment with network groups made up
completely of networks that are within the range of the network permissions of the
groups to which you belong are displayed.
For Trending reports, the Report Context includes both a Starting Analysis and an
Ending Analysis selection, which you can use to view differential data between the
two analyses.
Figure 22: Sample report context for a trending report
Note: Selecting a Starting Analysis that utilized different scanners than the Ending
Analysis, may result in inconsistent results relative to the number and types of
vulnerabilities and policy violations reported.
The Report Context can be changed by selecting Modify Filter. The Report Context
Filter screen is displayed, which consists of a Date Filter (Starting Date and Ending
Date), a Policy Filter, and a Network Group Filter.
239
Reports
displayed in the Network Group Filter dropdown list. Otherwise, network groups
made up completely of networks that are within the range of the network
Figure 23: Report Context Filter screen showing sample selections
When you select a report for the first time, Preventsys automatically sets the Report
Context Filter and the Report Context as described in the following sections.
System Default for the Report Context Filter
The Report Context Filter is automatically configured based on the latest analysis and
the associated policy and network group.

Ending Date: Defaults to the date of the latest analysis.

Starting Date: Defaults to the date on which the earliest equivalent analysis
was completed. Equivalent analyses are those where the assessment
configuration name, policy name, and network group are the same. The version
of the policy however can be different.
Note: The Start Date and End Date can be the same if the completion date of
the earliest equivalent analysis is the same as the completion date of the latest
analysis.

Policy: List defaults to all policies that were applied between the Start and End
Dates. The Policy associated with the latest analysis is automatically selected.

Network Group: List defaults to all network groups that the selected Policy
was applied to between the Start and End Dates. The Network Group
associated with the latest analysis is automatically selected.
240
Reports
System Default for the Report Context
The Report Context is automatically configured based on the default Report Context
Filter settings. For Standard Reports, the latest analysis is automatically selected,
and the Analysis dropdown list is populated with all equivalent analyses that occurred
during the selected Start and End Dates.
For Trending Reports, the latest analysis is automatically selected for the Ending
Analysis, and the dropdown list is populated with all equivalent analyses whose
analysis date is equal to or greater than the earliest equivalent analysis (the analysis
selected for the Starting Analysis).
The earliest equivalent analysis is automatically selected for the Starting Analysis,
and the dropdown list is populated with all equivalent analyses whose analysis date
is equal to or less than the latest equivalent analysis (the analysis selected for the
Ending Analysis).
Preventsys continues to use the default Report Context Filter and the Report Context
until you modify the filter.
Modifying the Report Context Filter
¾
To modify the report context filter
1
Click Modify Filter on any report that displays the report context. The Report
Context Filter screen appears.
2
In the Starting Date and Ending Date text boxes, enter the date range in which
you want to view results.
3
In the Policy drop-down list, select the policy for which you want to view
results. This list only contains those policies that were applied to an assessment
between the selected Starting and Ending Dates.
4
In the Network Group drop-down list, select the network group for which you
want to view results. This list only displays those network groups to which the
selected Policy was applied during the specified date range.
displayed. Otherwise, only network groups made up completely of networks
5
To apply the filter, click Apply Filter.
The Report Context displays all analyses that match the Report Context Filter
settings.
On the Report Context, Preventsys automatically selects the latest analysis for
you. For Trending reports, the earliest equivalent analysis is selected.
241
Reports
Note: On Trending Reports, the analysis you select for the Ending Analysis is
driven by what you select for the Starting Analysis. The Ending Analysis will
always be equal to or greater than the date of the analysis selected for the
Starting Analysis. By default, the latest analysis will automatically be selected as
the Ending Analysis and the earliest equivalent analysis will automatically be
selected as the Starting Analysis.
How Preventsys Calculates Compliance
Preventsys uses a violation centric algorithm to determine the compliance of your
assets. Details about the data and formulas Preventsys uses to calculate asset
compliance are provided in this section.
Useful Terms
Please review the following terms before continuing with this section.

Number of Assets: The total de-duped number of assets for a given grouping
(network, network group, enterprise group).

Distinct Rules: A count of all unique rules that can yield policy violations. The
two rule types that can create policy violations are Violation of Network Policy
and Host Compromised. Therefore, they are the only types counted.

Asset Violations: The count of all unique asset violations for the given grouping
of assets (for example, individual asset, network, network group, exec summary,
enterprise group). Note that on Executive Summary and Executive Trending
reports the grouping is actually by network group. On the Enterprise reports,
the grouping is all network groups in the enterprise group.

Possible Asset Violations: A count of all possible asset violations that can be
generated for the set of assessments being considered and is used as a
component of the denominator in several calculations. This value is calculated
using the formula: Distinct Rules * Number Of Assets

MAT Violations: The count of all violations associated with manual audit tasks.
It is important to understand that MAT violations are not associated with assets
and therefore do not belong in any report that is purely asset-group based. For
example, the asset details, network, and network group reports are all purely
asset based and therefore do not include MAT violations. On the other hand,
executive summary and enterprise reports are assessment based and include
MAT violations.

Possible MAT Violations: A count of all possible MAT violations, which can be
generated, and is used as a component of the denominator in several
calculations. Due to the nature of MAT policy rules, the formula for calculating
possible MAT violations is somewhat complex.

Latest Distinct Analysis: The latest analysis for each unique policy/network
group combination for which there is currently both an associated network group
and policy selected in the assessment configuration.
242
Reports
When the assessing phase of an assessment is conducted, the returned scan
result is for the network group selected in the associated assessment
configuration. When the analyzing phase of an assessment is conducted, a
separate analysis is returned for each policy selected in the associated
assessment configuration. To determine the latest distinct analyses for an
assessment configuration, Preventsys looks at the policies and the network
group selected in the assessment configuration and then gathers the latest
analysis for each of those policies for that network group and assessment
configuration.
For example, assessment_config1 has networkgrp1 and two policies selected.
Therefore, when an assessment is run using assessment_config1, a scan result
for networkgrp1 and two analyses (one for each policy selected) will result. If
Assessment_config1 is then edited such that one of the two policies is
deselected, leaving only one policy selected, only the analysis associated with
the policy still selected will be used. Note that if both policies are deselected,
then no analyses are used.
Compliance Formulas
Average Compliance is the default formula used by Preventsys and is based on an
average percentage of compliance using violations only. Boolean Compliance is an
optional formula, which counts the number of assets that are 100% compliant (do
not have any violations or vulnerabilities) and divides by the number of total assets.
Therefore, if at least one violation or vulnerability is found for an asset, that asset is
considered noncompliant. The Boolean formula must be turned on by modifying
certain files and doing a redeploy. Contact McAfee Support for details. The
following table describes the compliance formulas used by Preventsys.
Average Compliance Formulas
Formula
Definition
Equation
Reports
Asset
Compliance
Asset compliance is
calculated based on
distinct violations;
vulnerabilities are not
considered
(asset violations) /
(possible asset
violations)
Asset Details
Network
Compliance*
Average compliance for
all assets that lie within
the specified network
for a given analysis
Sum(asset
compliance) / (number
of assets)
Network, Asset
Standard
Network Group Average compliance for
Compliance*
each asset considered
to be in the network
group. Note that only
distinct violations are
counted.
Sum(asset
compliance) / (number
of assets)
Network Group,
Comparative
Compliance,
Operating
System
243
Reports
Formula
Definition
Equation
Reports
Total
Compliance**
Includes both asset and
MAT based violations.
Note that the Executive
reports consider a single
network group and
policy combination while
Enterprise Group may
contain multiple.
Sum(asset violations)
+ Sum(mat violations)
/ (possible asset
violations * number of
assets) + (possible
Mat violations))
Enterprise
Group
Summary*,
Executive
Summary**
*Applied against all Latest Distinct Analyses based on the latest version of each assessment
configuration in the active enterprise group. If there is no active enterprise group, then it is
applied based on the latest version of each assessment configuration.
**A network group can be considered non-compliant if there are MAT violations even if its
individual assets do not show any policy violations. This is because MAT violations are network
group based; not host based. For example, if you scanned a single host and it produced no
vulnerabilities or policy violations, but three MAT violations were created. The Executive
Summary Pie chart will display the network group as non-compliant, however the Bar chart will
display Compliant = 1 because it is host based.
Navigating Between Reports
When moving from a Trending report to a Standard report, the Ending analysis
selected in the Trending report becomes the analysis selected on the Standard
report. The same Report Context Filter settings are applied that were set on the
Trending report.
When moving from a Standard report to a Trending report, the analysis selected on
the Standard report becomes the Ending analysis selected on the Trending report
(that is the latest analysis). The Starting Analysis dropdown list is automatically
populated with all analyses whose analysis date is equal to or earlier than the
selected Ending Analysis. The analysis with the earliest analysis date is automatically
selected for you. The same Report Context Filter settings are applied that were set
on the Standard report.
Filtering Reports by Asset
Selected Asset reports and Network Group reports feature a Narrow by Asset control
that may be used to refine the data included in these reports based upon IP
addresses or asset name substrings. After entering an IP address or substring
and clicking Refresh, the report is redisplayed based on only those assets that meet
the specified criteria.
Deleting the query entered in the Narrow by Asset field and clicking Refresh will
reset the filter and display all results based on the selected Analysis.
244
Reports
In the case of asset name substrings, wildcards may be used in the following
manner:

Entering comp* will return all asset names beginning with the letters comp such
as computer or company.

Entering *comp* will return all asset names containing the letters comp such as
accompany.

In the case of IP address entry, CDIR notation may be used to refine the search
in the following manner:

208.130.29.33/32 - The /32 extension will return all IP addresses that
match all thirty-two bits of the specified address (that is a host address,
matching a single IP address). An IP address without a trailing prefix is
assumed to be a single address.

208.130.29/24 - The /24 extension will return all IP addresses starting
with the twenty-four bit prefix 208.130.29.

208.130.28/22 - The /22 extension here will result in the inclusion of
208.130.29/24 because in binary, 28 is 00011100, while 29 is
00011101. However, because of the 22-bit prefix length, only the first 6
bits of the third byte are valid.

0.0.0.0/0 or 0/0 - The /0 is the shortest possible IP address prefix and
matches any IP address.
Viewing Reports
This section describes what types of information are displayed on each report. To
view details about the assessment selected for the report, click Assessment
Details.
Executive Summary Report
The Executive Summary provides a detailed overview of the assessed network group
with information about compliance, asset data, and vulnerabilities and policy
violations.
Standard
The Standard Executive Summary report opens with a pie chart and a bar graph
indicating basic compliance information.
245
Reports
The Compliance Summary pie chart illustrates the percentage of compliant and
noncompliant assets in the selected Analysis. Compliance is calculated based on the
average compliance of all assets associated with the analysis selected for the report.
The accompanying bar chart indicates the number of violations, vulnerabilities,
compliant assets, total assets, and the total number of manual audit task rules
referenced in the policy.
The Report Summary table indicates the total number of assets, the total number of
assets that passed, the total number of assets that failed, and the total manual audit
task rules referenced in the policy.
The Vulnerabilities and Policy Violations table includes dated information about both
pending and resolved policy violations and vulnerabilities, along with the average
time to fix for resolved issues.
Note: If a subsequent assessment verifies remediation tasks found in the previous
assessment, the number of resolved vulnerabilities in the report for that previous
assessment will reflect that.
Figure 24: Sample Executive Summary Standard Report
Trending
The Trending Executive Summary also includes a trio of graphs indicating Issues and
Assets over Time, Asset Risk over Time, Vulnerabilities/Violations and Remediations
over Time, and Average Time to Fix.
246
Reports
The first graph on the Executive Summary Trending Report presents the total assets,
total noncompliant assets, and the total compliant assets for the analyses selected.
Figure 25: Sample of Executive Summary Trending report - Compliance
Totals over Time graph
The second graph on the trending version of the Executive Summary charts assets at
risk. This graph features the View By drop-down list, which you can use to switch
between Assets and Dollars. In Assets mode, this graph plots the severity level of
policy violations and vulnerabilities found on the network group. In Dollars mode,
this graph plots the severity of policy violations and vulnerabilities against the dollar
value of the affected assets.
Figure 26: Sample of Executive Summary Trending report - Asset Risk over
Time graph
247
Reports
The third graph on the trending version of the Executive Summary illustrates the total
number of vulnerabilities and policy violations found along with the number of
remedied vulnerabilities and policy violations.
Figure 27: Sample of Executive Summary Trending report - Issues and
Remediations over Time graph
The last graph on the trending version of the Executive Summary provides a graph
illustrating differential Average Time to Fix data.
Figure 28: Sample of Executive Summary Trending report - Average Time
to Fix graph
The Trend Report Summary table presents the total number of assets, the total
number of assets that passed, the total number of assets that failed, total services
running, total vulnerabilities, total new assets, total changed assets, the total manual
audit task new and existing rules referenced in the policy, the total Web servers, and
the total SSL Web Servers.
248
Reports
The Vulnerabilities/Violations table includes dated information from the two analyses
selected about both pending and resolved policy violations and vulnerabilities, along
with the average time to fix for resolved issues.
Figure 29: Sample of Executive Summary Trending report - Trend Report
Summary and Vulnerabilities/Violations tables
Enterprise Group Summary Report
The Enterprise Group Summary report, accessible via the Executive Summary
submenu, is Enterprise Group centric, and therefore shows aggregated results based
on the active Enterprise Group.
The Enterprise Group Summary report displays three areas of information: trends,
current compliance, and roll-up information per network group assessed. It is a blend
of trended data (the Trending Report graph) and the latest snapshot of compliance
information (Compliance Summary graph) as well as a table that displays the latest
information on a per network group based on the active Enterprise Group.

Trending Report graph: Presents the trend of Total Assets, Compliant Assets
and Non-Compliant Assets. Again, this is based on active Enterprise Group.
Therefore, it represents aggregate information of the trends across all network
groups based on the active Enterprise Group.

The Compliance Summary pie chart: Presents the current, average
compliance of assets. Therefore, it represents aggregate information of the
compliance across all network groups based on the active Enterprise Group.

Totals by Policy table: Presents all violations and all MAT violations per policy,
with totals for each row and each column. This means that the total violations
should match the sum of the violations from the last table, across all network
groups.

Totals by Network Group table: Presents totals of violations, vulnerabilities,
and threats by network group. These values are the sum of all violations and
vulnerabilities across all network group/policy combinations that are in the
current enterprise group, with totals for each column.
249

Reports
Totals by Network Group and Policy table: Presents the violations,
vulnerabilities and threats associated with the latest analysis by network group
and policy. The number of violations and vulnerabilities link to the Network
Group Standard report for that network group and policy. The number of threats
link to the All Threats screen, which is then be pre-filtered to display the
actionable threats for the network group.
Figure 30: Sample Enterprise Group Summary report
On the Enterprise Group Summary report, the active enterprise group is displayed
next to the report title following the word "viewing". This links to the Enterprise
Groups Management screen. If no enterprise group has been set, "All" is displayed
to signify that all assessment configurations are being considered.
Click the number of violations for a network group to display the latest Network
Group Standard report for that network group.
250
Reports
Click the number of vulnerabilities for a network group to display the latest Network
Group Standard report for that network group.
Under the Actionable Threats column, click the number of threats for network
group desired to display the All Threats page which is be pre-filtered by the network
group. Note that this filtering happens in the background, and therefore is not
displayed in the Filter Options tab.
To view all threats, click Apply Filter. All threats will be displayed rather than just
those for the selected network group.
Click Save As PDF to generate a PDF version of the report.
Administrator Overview
The Administrator Overview report lists all administrators and their corresponding
network group assignments, as well as their email addresses.
An Administrator is any user belonging to a group (or groups) that has the Modify
Networks and Modify Assessment Configurations permissions. However, an
administrator will only be displayed on this report if the groups to which he or she
belongs also have network permissions for all the networks in a network group for
which an assessment has been run.
displayed. Otherwise, only network groups made up completely of networks that
are within the range of the network permissions of the groups to which you belong
are displayed.
Figure 31: Sample Administrator Overview report
251
Reports
Selecting a Network Group name will allow you to view the corresponding Network
Group report, and selecting an administrator's email address will open your email tool
so that you can send an email to the selected administrator.
Network Group Reports
The Network Group reports provides in-depth information about all network groups
included in the selected assessment.
Overview
The Network Group Overview screen presents a list of all network groups, with links
to corresponding Network Group Details reports.
are displayed.
Figure 32: Sample Network Group Overview report
252
Reports
Standard
The standard Network Group Details report opens with a pie chart and a bar graph
indicating basic compliance information. Compliance is calculated based on the
average compliance of all assets in the network group associated with the analysis
selected for the report.
Figure 33: Sample Network Group Standard report
Next is a table displaying information about all assets in the selected network group,
including Asset Name, IP address, Operating System, number of Violations, and
number of Vulnerabilities.
Clicking on the Asset Name, IP Address, OS, Violation, or Vulnerabilities column
headings will resort the table according to the selected element.
Use the Narrow by Asset text box to refine the data included in this report based
upon IP addresses or asset name substrings.
All asset names on the Network Group Details screen serve as links to the
corresponding Asset report. All operating system names serve as links to the
corresponding OS report.
Trending
The first graph on the trending version of the Network Group Details report charts
assets at risk. This graph features a View By drop-down list, which you can use to
switch between Assets and Dollars. In Assets mode, this graph plots the severity
level of policy violations and vulnerabilities found on the network group. In Dollars
mode, this graph plots the severity of policy violations and vulnerabilities against the
dollar value of the affected assets.
253
Reports
The second graph on the trending version of the Network Group Details report
illustrates the total number of vulnerabilities and policy violations found along with
the number of remedied vulnerabilities and policy violations.
Next, the trending version of the Network Group Details report provides a graph
Figure 34: Sample Network Group Trending report
254
Reports
Network Report
The Network reports provide detailed information about all networks in the selected
Analysis, including asset names, IP addresses, operating systems, policy violations,
and vulnerabilities. Assets with high severity vulnerabilities or policy violations are
also flagged as compromised on this report.
Network Overview
The Network Overview screen presents a list of all networks included in the
selected Analysis, with links to the corresponding Network Details reports.
Figure 35: Sample Network Overview report
Standard
The standard Network Details report opens with a pie chart and a bar graph indicating
basic compliance information. Compliance is calculated based on the average
compliance of all assets in the network group associated with the analysis selected
for the report.
Next is a table displaying information about all assets in the selected network,
255
Reports
All asset names on the Network Details screen serve as links to the corresponding
Asset report. All operating system names serve as links to the corresponding OS
report..
Figure 36: Sample Network Details Standard report
Trending
The first graph on the trending version of the Network Details report charts assets at
risk. This graph features a View By drop-down list, which you can use to switch
between Assets and Dollars. In Assets mode, this graph plots the severity level of
policy violations and vulnerabilities found on the network. In Dollars mode, this graph
plots the severity of policy violations and vulnerabilities against the dollar value of the
affected assets.
The second graph on the trending version of the Network Details report illustrates
the total number of vulnerabilities and policy violations found along with the number
of remedied vulnerabilities and policy violations.
256
Reports
The trending version of the Network Details report provides a graph illustrating
differential Average Time to Fix data.
Figure 37: Sample Network Details Trending report
Asset Report
The Asset reports provide information about all assets within selected analyses
associated network group or detailed information about a specific asset.
257
Reports
Standard
The Asset Standard Report opens with a pie chart and a bar graph indicating basic
compliance information. Compliance is calculated based on the average compliance
of all assets associated with the analysis selected for the report.
Next is a table displaying information about all assets in the selected network group,
All asset names on the Asset Standard Report screen serve as links to the
corresponding Asset Details Standard Report. All operating system names serve as
links to the corresponding OS report.
Figure 38: Sample Asset Standard report
258
Reports
The Asset Details Standard Report opens by listing the asset name, IP address,
operating system, and network, followed by all administrators assigned to the
selected asset. Next, this report presents a graphic indicating the severity level of
policy violations found on the selected asset. This is followed with a table listing all
policy violations and vulnerabilities detected on the selected asset, along with Y/N
fields indicating whether or not it is a new policy violation or vulnerability and
whether or not there is a known fix. A text description is provided for each policy
violation and vulnerability, offering basic remediation information. Finally, the Asset
Report features a table listing all services detected on the selected asset, providing
the port number, protocol, and service name for each.
All operating system names on the Asset Report screen serve as links to the
corresponding entries in the Operating System Overview screen. All network names
serve as links to the corresponding Network Details screen. Click an administrator
name to display the corresponding Administrator Report, and click an administrator's
email address to send email to the selected administrator. Click Chronological View
to display the Chronological Report for the associated asset.
When available, CVE/BugTRAQ IDs will also be listed within the policy
violation/vulnerability text descriptions. All CVE/BugTRAQ IDs will serve as links to
the corresponding CVE/BugTRAQ page.
Note: The Asset Details Standard report is automatically filtered based on the asset
that you selected to view. The Report Context Filter will not allow you to select a
network group that does not contain the selected asset. To view the Asset Details
Standard report for a different asset, return to the previous report and select that
asset.
259
Reports
Click Go to Trending Report to view the Asset Details Trending Report.
Figure 39: Sample Asset Details Standard report
260
Reports
Details Trending
The Asset Details Trending report opens by listing the asset name, IP address,
operating system, and network, followed by all administrators assigned to the
selected asset, and the analysis date. Next, a chart that indicating the assets risk
over time is displayed. This graph features a View By drop-down list, which you can
use to switch between Assets and Dollars. In Assets mode, this graph plots the
severity level of policy violations and vulnerabilities found on the asset. In Dollars
mode, this graph plots the severity of policy violations and vulnerabilities against the
dollar value of the affected asset.
Figure 40: Sample Asset Details Trending report
261
Reports
The second graph on the trending version of the Asset Details Trending report
Next, the trending version of the Asset Details Trending report provides a graph
illustrating differential Average Time to Fix data
Note: The Asset Details Trending report is automatically filtered based on the asset
that you selected to view. The Report Context Filter will not allow you to select a
network group that does not contain the selected asset. To view the Asset Details
Trending report for a different asset, return to the previous report and select that
asset.
Trending
The Assets Trending report opens with a chart that indicating the assets risk over
time. This graph features a View By drop-down list, which you can use to switch
between Assets and Dollars.
In Assets mode, this graph plots the severity level of policy violations and
vulnerabilities found on the asset. In Dollars mode, this graph plots the severity of
policy violations and vulnerabilities against the dollar value of the affected asset.
The second graph on the Asset Trending report illustrates the total number of
vulnerabilities and policy violations found along with the number of remedied
vulnerabilities and policy violations.
Next, the trending version of the Asset Trending report provides a graph illustrating
differential Average Time to Fix data.
262
Reports
Use the Narrow by Asset field to refine the data included in this report based upon IP
addresses or asset name substrings
Figure 41: Sample Asset Trending report
263
Reports
Chronological View Report
The Chronological View provides information about scans, vulnerability history,
administrator history, and network association specific to the selected asset. The
asset name, IP address, operating system, and network are listed at the top of the
Chronological View page, followed by all administrators assigned to the selected
asset. A chronological listing of all assessments performed upon the asset follows,
then a table listing all vulnerabilities, the date they were found, and the date they
were fixed.
Clicking on the Vulnerability, Date Found, or Date Fixed column headings will resort
the Vulnerabilities table according to the selected element.
Figure 42: Sample Chronological View report
Operating System Report
The Operating System reports provide detailed information about the usage of all
operating systems found in the selected Analysis.
Overview
The Operating System Overview report opens with a pie chart that breaks down all
operating systems found on the assessed network group by percentage. This is
followed with a table indicating the number of assets, number of vulnerabilities,
percentage of vulnerabilities, new vulnerabilities, and average time to fix for each
operating system.
264
Reports
The average time to fix is calculated based on the date that policy violations and
vulnerabilities are found versus the date they are reported fixed in the remediation
system.
Clicking on the Operating System, Assets, Vulnerabilities, or Average Time to Fix
column headings will resort the table according to the selected element.
All operating system names on the Operating System Overview serve as links to the
corresponding Operating System Details report.
Figure 43: Sample Operating System Overview report
Standard
The standard Operating System Details report opens with a pie chart and a bar graph
indicating basic compliance information. Next, is another pie chart that presents the
percentage of all operating systems found in the selected Analysis. This is followed
with a table listing all assets in the assessed network group, organized by operating
system. This table includes asset name, IP address, operating system version, and
the number of policy violations and vulnerabilities discovered.
Clicking on the Asset Name, IP Address, Violations, or Vulnerabilities column
265
Reports
All asset names and IP addresses on the Operating System Details screen serve as
links to the corresponding Asset report.
Figure 44: Sample Operating System Details Standard report
Trending
The first graph on the trending version of the Operating System Details report charts
assets at risk. This graph features a View By drop-down list, which you can use to
switch between Assets and Dollars.
In Assets mode, this graph plots the severity level of policy violations and
vulnerabilities found on the network. In Dollars mode, this graph plots the severity of
policy violations and vulnerabilities against the dollar value of the affected assets.
The second graph on the trending version of the Operating System Details report
266
Reports
Next, the trending version of the Operating System Details report provides a graph
Figure 45: Sample Operating System Details Trending report
Task Reports
The Task reports provide current information about the status of all remediation tasks
addressing policy violations and vulnerabilities in the selected Analysis.
267
Reports
Task Aging Summary
The data displayed on the Task Aging Summary report is driven by the active
Enterprise Group. In addition, only remediation tasks that have not been resolved are
considered. The report displays charts and associated tables for Overdue Tasks,
Days since Found, and Days since Assigned. No additional content authorization is
done for this report.
Overdue Tasks
The Overdue Tasks chart displays the number of tasks that are past due. A
remediation task is considered past due if it has not been resolved by the associated
due date.
Figure 46: Sample Task Aging Summary report - Overdue Tasks chart
268
Reports
Days Since Found
The Days Since Found chart groups task by how many days have elapsed since the
underlying issue was first found.
Figure 47: Sample Task Aging Summary report - Days Since Found chart
Days Since Assigned
The Days Since Assigned chart groups task by how many days have elapsed since
the task was last assigned (that is if a task is reassigned, then the chart will show the
number of days since the task was reassigned)
Figure 48: Sample Task Aging Summary report - Days Since Assigned chart
269
Reports
Task Rollup Reports
The task rollup reports display vulnerability type and violations type remediations
rolled up by Network Group. This report is enterprise group centric.
are displayed.
Rollup by Violation
The Task Rollup by Violation report displays the violations type remediations rolled up
for the given network groups. The following columns are displayed on this report.

Network Group: The name of the network group associated with the violations

Violation: The name of the violation

Assets: The number of assets that have the violation

Severity: The average severity for this violation on the current Network Group

Priority: The average priority for this violation on the current Network Group

Exposure: The sum of all host values and operational impacts for the network
group and this violation

New: The % of the tasks that are in an unassigned state and not overdue

Assigned: The % of the tasks that are in the assigned state and not overdue

Overdue: The % of the tasks that are overdue
Figure 49: Sample Task Rollup by Violation report
Rollup by Vulnerability
The Task Rollup by Vulnerability report displays the vulnerability type remediations
rolled up for the given network groups. The following columns are displayed on this
report.
270
Reports

Network Group: The name of the network group associated with the
vulnerabilities

Violation: The name of the vulnerability

Assets: The number of assets that have the vulnerability

Severity: The average severity for this vulnerability on the current Network
Group

Priority: The average priority for this vulnerability on the current Network Group

Exposure: The sum of all host values and operational impacts for the network
group and this vulnerability

New: The % of the tasks that are in an unassigned state and not overdue

Assigned: The % of the tasks that are in the assigned state and not overdue

Overdue: The % of the tasks that are overdue
Figure 50: Sample Task Rollup by Vulnerability report
Standard
The standard Task report opens with two pie charts illustrating Remediation Status
Overview and Remediation Status Per OS. This is followed with a pair of tables
tracking both pending and resolved policy violations and vulnerabilities, indicating the
affected asset and IP addresses as well as the date upon which each policy violation
or vulnerability was found.
Note: The Date Found is the date the violation or vulnerability was first found by
Preventsys, across all analyses and regardless of assessment configuration.
271
Reports
All violation and vulnerability names on the standard Task report screen serve as links
to the corresponding Remediation Details screen.
Figure 51: Sample Task Standard report
Trending
The first graph on the trending version of the Task report charts remediation status.
This graph features data points indicating the number of remediation tasks Verified,
Claimed Resolved, False Positive, Accepted Risk, Unresolved, and Unassigned.
272
Reports
Next, the trending version of the Task report provides a graph illustrating differential
Average Time to Fix data.
Figure 52: Sample Task Trending report
Task Recipient Report
The Task Recipient reports provide current information about the status of all
administrators and their corresponding remediation tasks, including policy violations,
manual audit task violations, and vulnerabilities.
Overview
The Task Recipient Overview screen presents a list of all users who have the
Resolve Remediation permission.
273
Reports
Note: If a remediator has remediation tasks assigned to them for hosts that are
within the range of networks to which you can view, then the remediator's name will
also be a link to the corresponding Task Recipient Details Standard Report.
Figure 53: Sample Task Recipient Overview report
Standard
To view details about a recipient's tasks, select a recipient from the Select Task
Recipient dropdown list, and click Refresh.
Note: The Select Task Recipient dropdown presents a list of all users who have the
Resolve Remediation permission. If a remediator has remediation tasks assigned to
them for hosts that are within the range of the networks to which you can view, then
that data will be displayed. Otherwise, you will receive a message notifying you that
no data was found for the selected user that you are not authorized to view.
274
Reports
The Standard Task Recipient Details report displays two pie charts illustrating
Remediation Status Overview and Remediation Status by OS. These are followed
with tables tracking both pending and resolved policy violations and vulnerabilities,
indicating the affected asset and IP address as well as the date upon which each
policy violation or vulnerability was found.
Figure 54: Sample Task Recipient Details Standard report
Note: If you are a member of the Super User group, then all the applicable tasks are
displayed. Otherwise, only the applicable tasks associated with hosts that are within
displayed. In addition, all Manual Audit Task violations are displayed regardless of
your group permissions.
Trending
To view trending data about a recipient's tasks, enter the Start and End data ranges,
select a recipient from the Select Task Recipient dropdown list, and click Refresh.
275
Reports
Note: The Select Task Recipient dropdown presents a list of all users who have the
Resolve Remediation permission. If a Remediator has remediation tasks assigned to
them for hosts that are within the range of the networks to which you can view, then
that data will be displayed. Otherwise, you will receive a message notifying you that
no data was found for the selected user that you are not authorized to view.
The Task Recipient Details Trending report displays trending data about the selected
recipient's tasks during the period you specify.
Figure 55: Sample Task Recipient Details Trending report
Note: If you are a member of the Super User group, then all the applicable tasks are
displayed. Otherwise, only the applicable tasks associated with hosts that are within
displayed. In addition, all Manual Audit Task violations are displayed regardless of
your group permissions.
The first graph charts remediation statuses over time. This graph features data
points indicating the number of remediation tasks Verified, Claimed Resolved, False
Positive, Accepted Risk, Unresolved, and Unassigned. The next graph illustrates
differential Average Time to fix data.
276
Reports
Compliance Overview Report
The Compliance Overview report presents basic compliance data derived from the
number of violations, rules, and assets associated with the selected analysis.
The Compliance Overview report features a bar graph indicating Violations Per Rule
and a table indicating the number of assets that passed and failed for each individual
rule associated with the selected Analysis.
Figure 56: Sample Compliance Overview report
Comparative Compliance Report
Use the Comparative Compliance report to compare multiple analyses and to the
view multiple report/analysis combinations at once. You can also switch between an
Overall Compliance view and a Detailed Compliance view.
277
Reports
In the Overall Compliance view, a series of pie charts indicate the compliance level of
each selected analysis. Beneath this is an asset table indicating the Asset Name, IP
Address, OS, the number of Violations, and the numbers of Vulnerabilities.
Figure 57: Sample Comparative Compliance report - Overall Compliance
view
In the Detailed Compliance view, a series of bar charts indicate the number of
Violations, Vulnerabilities, Compliant Assets, and Total Assets. Beneath this is an
asset table indicating the Asset Name, IP Address, OS, the number of Violations, and
the numbers of Vulnerabilities.
278
Reports
All asset names on the Comparative Compliance Report screen serve as links to the
corresponding Asset report. All operating system names serve as links to the
corresponding OS report.
Figure 58: Sample Comparative Compliance report - Detailed Compliance
view
Exposure Overview Report
The Exposure Overview report is designed to tell administrators when a specific bug
was first found by Preventsys. Whenever a policy violation or vulnerability is found
during scan analysis, Preventsys will reference prior scans of the affected network
group in reverse chronological order to calculate how long the system has been
exposed. The CVE/BugTraq date indicates the date the bug was listed on
CVE/BugTRAQ. This date is important because it represents how long the
vulnerability has been in general release, significantly increasing the risk associated
with exposure.
The Exposure Overview Report includes a table for each asset listing policy violations
and vulnerabilities, exposure date, remediation assignments, and remediation status.
It also provides a description for policy violations and a CVE/BugTRAQ date for
vulnerabilities.
279
Reports
Vulnerability listings also include links to associated entries on the official CVE site
when available.
Figure 59: Sample Exposure Overview report
280
Reports
Services Report
The Services report provides detailed information about selected services. The
Services report opens with a chart indicating the Top 10 Services found in the
selected Analysis. This is followed with a table listing all services discovered, their
port numbers, protocols, service names, product guesses, and the number of assets
on which they are active.
Figure 60: Sample Services report
All Service Names on the Services report screen serve as links to the corresponding
entries in the Services Details report. The Services Details report lists the service
name and port, along with its banner information, followed by a table listing all assets
that are running the selected service and their IP addresses.
281
Reports
All asset names and IP addresses on the Services Details screen serve as links to the
corresponding Asset report. The Services Details page also provides links to banner
information when available.
Figure 61: Sample Services Details report
Saving Reports
Reports can be saved either by saving them as a PDF or by publishing them for
viewing later in Preventsys as HTML.
Publishing a Report
Use the Publish function to save any report in Preventsys with its associated report
context as HTML. By publishing reports, you can quickly retrieve selected reports
without using the Report Context controls.
When a report is published, it will always reflect the active Enterprise Group
regardless of what Enterprise Group was active when the report was published. To
save a record of the report based on the current and active enterprise group, use the
Save as PDF feature.
When publishing a report, only the report context is saved; the state of remediation
tasks at that time is not saved. Therefore, the publish report will always display the
current state. To save a record of the report based on the state of remediation tasks
at a specific time, use the Save as PDF feature.
282
Reports
¾
To publish a report
1
Click Publish located in the Report Context area. The Publish Report screen
appears.
2
In the Published Report Name text box, enter the name you want to give the
report (35 characters maximum).
3
In the comments box, enter comments for the report if desired.
4
To save the report, click Submit.
5
Click Return to report to view the actual report again.
Viewing Published Reports
Use the View Published Reports function to view any previously published report in
Preventsys as HTML.
Note: If you are a member of the Super User group, then all published reports are
displayed. Otherwise, only published reports associated with network groups made
up completely of networks that are within the range of the network permissions of
the groups to which you belong are displayed.
283
Reports
¾
To view a published report
1
From the Preventsys menu, select Reports > Published Reports. The View
Published Reports screen appears.
2
Click the name of the report you want to view. The selected report appears.
Deleting Published Reports
Use the Delete Published Reports function to delete published reports.
Note: You can only delete published reports that you created.
¾
To delete a published report
1
From the Preventsys menu, select Reports > Published Reports. The View
Published Reports screen appears.
2
Click Delete for the report you want removed. A confirmation pop-up box
appears.
3
To delete the published report, click OK.
284
Chapter 13
System Updates
The Preventsys Update Propagation System (PUPS) is used to upload, deploy, and
rollback Preventsys component updates.
Downloading an Update
¾
To download an update
1
Go to McAfee Support at http://mysupport.mcafee.com, navigate to the My
Products Download page, and enter your Grant number.
2
Locate your update and then download the file to any system accessible by the
system running the Preventsys Administrative Client.
Uploading and Applying an Update
Once you have downloaded an update from McAfee, you can upload the update to
the Management Server and apply it to the appropriate components.
¾
To upload and apply an update
1
From the Preventsys menu, select Admin > System Updates. The System
Updates screen appears. All available updates are displayed on this screen.
285
System Updates
2
Enter the path/location of the system update file.
3
To upload the file to the Management Server, click Upload.
Note: Uploading the update file to the Management Server may take some
time. Please do not log out or close the Administrative Client's browser window
while the upload is in progress.
4
When the upload has completed, the update information is displayed.
5
To update your system, click Apply Now. The Review Contents screen appears
and displays the Module Name, Description, and Version for each component
included in the update.
6
To continue, click Next. The Set Configuration Parameters screen appears and
displays the configuration parameters for each component included in the
update.
7
Edit the configuration parameters as desired. Refer to the release notes
accompanying the update package details about each of the configuration
parameters before you modify any default values.
8
To continue, click Next. The Update Confirm screen appears and displays any
pending assessments that will be completed prior to the update, as well as the
names of any logged in users who lack Super User access.
Note: Once the update process is initiated, Preventsys will transition to
Maintenance Mode. The pending assessments listed on the Update Confirm
screen will be allowed to complete, but no new assessments will be initiated. In
addition, the non-Super Users listed on the Update Confirm screen will be
logged out automatically.
9
For minor updates, the Save System Archive checkbox is selected by default.
If you do not wish to save a temporary archive of the current system, deselect it.
Note: If you do not save an archive of the current system now, you will not be
able to rollback to it later. For major updates, an archive will be saved
automatically.
10 To apply the update, click Update. The Update Initiated screen appears.
11 Preventsys enters Maintenance Mode while applying the update.
12 To continue, click Next.
13 All members of the Super User group will receive a confirmation email when the
update is complete.
Note: Please do not modify any system data while the update is pending. Once
the update has completed, Preventsys will automatically restart if necessary and
full functionality will be restored.
About Maintenance Mode
When the update is initiated, Preventsys will enter Maintenance Mode. Once
Preventsys enters Maintenance Mode, all pending assessments will be completed
but no new assessments will be initiated.
286
System Updates
Note: Preventsys will remain in Maintenance Mode until the update has completed.
If the pending assessments are not completed within 24 hours (default setting), the
update will not complete successfully and Preventsys will remain in its current state.
Only Super Users will be able to log on and access Preventsys when it is in
Maintenance Mode. All non-Super Users will be automatically logged out of
Preventsys as soon as it enters Maintenance Mode.
Note: Do not modify any system data once Preventsys enters Maintenance
Mode. Altering system data at this time may result in an unsuccessful update.
Once the update has completed, PUPS will automatically restart all system
components that require a reboot for the update to take effect. Note that this may
temporarily disrupt the Preventsys Administrative Client's access to the
Management Server (ESM Server).
Update Failure
If an update fails, PUPS will restore Preventsys to the latest successful state. Any
time an update fails, the update must be uploaded to the Management Server again
prior to initiating another attempt at applying the update. In the event of an
unsuccessful update or rollback procedure that results in the Manage System
Updates screen being out of synch or other system problems, please contact
McAfee Support for assistance.
Rolling Back an Update
Once an update has been applied, the rollback feature may be used to return
Preventsys to the previous version.
Note: The Rollback System Update function may only be used to return Preventsys
to the last successful state.
¾
To rollback an update
1
From the Preventsys menu, select Admin > System Updates.
2
To rollback to the last successful state, click Rollback to previous version. The
Rollback Confirm screen appears and displays the pending assessments that will
be completed prior to the rollback procedure, as well as the names of any
logged in users who lack Super User access.
Note: Once the rollback process is initiated, Preventsys will transition to
Maintenance Mode. The pending assessments listed on the Rollback Confirm
screen will be allowed to complete, but no new assessments will be initiated. In
addition, the non-Super Users listed on the Rollback Confirm screen will be
automatically logged out.
3
To start the rollback, click Rollback. The Rollback Initiated screen appears.
287
System Updates
4
Preventsys enters Maintenance Mode while implementing the rollback.
5
To continue, click Next.
6
All Super Users will receive a confirmation email when the rollback is complete.
288
Appendix A
Instance Configurations
This section presents specific information about the assessment tools supported by
Preventsys. For general information about how to add assessment servers and
instance configurations, see Assessment Servers (on page 30).
When adding an instance configuration to an Assessment Server, you will be asked
for information required to connect to that instance. The types of information that
might be required include the username, password, IP address, and port number of
the assessment tool. You can also specify an affinity and associated weight with an
instance. See Affinity and Weight (on page 33) for details.
You can view a description of fields on the instance configuration screens by
positioning your mouse over the desired field.
Figure 62: Example of Help text displayed on the Nessus Instance
Configuration screen
Third-Party Connector Instance Configurations
Preventsys makes their API available for writing third-party connectors. You can then
connect to them from the Assessment Server, and therefore run assessments with
them using Preventsys.
Note: Contact McAfee Support for details about writing third-party connectors.
289
¾
To add an instance of a Third-Party connector
1
2
3
Select ThirdParty from the drop-down list, then click Add New Connector.
The ThirdParty Instance Configuration screen appears.
4
In the Connector Name text box, enter the name you want for the connector
instance.
5
To add Affinity, click Add Affinity. See Affinity and Weight (on page 33) for
details about adding affinity.
6
Enter the requested information.
7
AlterPoint Instance Configurations
Preventsys provides support for AlterPoint through an import-only interface. You
must have a licensed version of AlterPoint. AlterPoint instance must be installed and
have collected configuration information from at least one host.
Note: Although Preventsys supports multiple installations of AlterPoint, each
instance must refer to the same AlterPoint installation.
¾
To add an instance of AlterPoint
1
2
290
3
Select AlterPoint from the drop-down list, then click Add New Connector. The
AlterPoint Instance Configuration screen appears.
4
instance.
5
6
7

Driver: Select the database type AlterPoint has been configured to utilize.
For installations utilizing Microsoft SQL Server, select the FreeTDS driver.

User Name: Enter the user name for the database user that AlterPoint
uses

Password: Enter the password for the AlterPoint database user if required

DB name: Enter the name of the Configuresoft database

Host: Enter the hostname or IP on which AlterPoint is running

Port: Enter the port on which the AlterPoint Database is listening

User Specific Table Prefix: AlterPoint allows you to create user tables. If
access to a specific users table is required, enter the table prefix here.
AppDetective Instance Configurations
To add an instance of AppDetective, you must have a licensed version of
AppDetective.
¾
To add an instance of AppDetective
1
291
2
3
Select AppDetective from the drop-down list, then click Add New Connector.
The AppDetective Instance Configuration screen appears.
4
instance.
5
6
7

AppDetective Connector Address: Enter the IP or hostname of the
AppDetective connector

AppDetective Connector Port: Enter the port of the AppDetective
connector
Configuresoft Instance Configurations
The Preventsys provides support for Configuresoft through an import-only interface.
The Configuresoft instance must be installed and have collected configuration
information from at least one host.
Note: Although Preventsys supports multiple installations of Configuresoft, each
instance must refer to the same Configuresoft installation.
¾
To add an instance of Configuresoft
1
2
292
3
Select Configuresoft from the drop-down list, then click Add New Connector.
The Configuresoft Instance Configuration screen appears.
4
instance.
5
6
7

Driver: Select the database type Configuresoft has been configured to
utilize. For installations utilizing Microsoft SQL Server, the FreeTDS driver
should be selected

User Name: Enter the user name for the database user that Configuresoft
uses

Password: Enter the password for the Configuresoft database user if
required

DB name: Enter the name of the Configuresoft database (defaults to
ECM4)

Host: Enter the hostname or IP on which Configuresoft is running

Port: Enter the port on which the Configuresoft Database is listening
DARC Instance Configurations
The Dynamic Address Resolution Connector (DARC) is automatically run in the
background by Preventsys during assessments. You must create an instance
configuration for it, but you will not need to create a connector configuration. This
connector is only necessary in Dynamic Host Configuration Protocol (DHCP)
environments.
293
DARC provides consistent address resolution for correlation of host information
throughout changing IP addresses (because of DHCP) by tracking hosts by its
network interface controller's (NIC) MAC address. By utilizing the Dynamic Target
Address Resolution Protocol (DTARP) to report the correlation between IP addresses
and host identity, Preventsys will be able to correlate the same physical hosts
regardless of IP changes due to DHCP.
DARC can be configured to utilize any network interface controller (NIC) installed on
the DARC server. if a DARC server is attached to two subnets, 10.1.1.0/24 and
10.2.2.0/24, DARC will utilize DTARP on each of these interfaces.

There are three basic techniques utilized by DARC. DARC automatically utilizes
the following techniques (DARC is always sending ARP packets to obtain MAC
addresses for hosts on the same subnet, sending NetBIOS packets to hosts on
other subnets, and looking for DHCP traffic).

Address Resolution Protocol (ARP): DARC instances send ARP packets to every
IP address in the subnets DARC has been configured to utilize. This process is
very accurate, but is limited because DARC servers need to have an interface
physically attached to any subnet where DHCP is utilized.

NetBIOS Querying: DARC instances will attempt to utilize the NetBIOS protocol
to obtain MAC addresses. This process works across subnets, unlike ARP, but
it only works against Microsoft Windows hosts whose NetBIOS port (UDP port
137) is unfiltered.

Passive DHCP analysis: MAC addresses may also be gathered from DHCP
packets. This process allows a single DARC instance to gather MAC addresses
from a particular DHCP server.
For these techniques to work, DARC must be able to capture the given DHCP
packets. In most environments, DHCP servers are connected to switches, which
prevent DARC from being able to capture the necessary packets. In this situation,
one of two configuration changes must be made. One option is for the switch to be
placed into a Switch Port Analyzer (SPAN) or mirrored configuration in which all traffic
from the DHCP server is also sent to the DARC server. The other option is for the
DHCP server and DARC server to be placed on the same hub. Unlike switches, hubs
broadcast any packets received to each of their ports.
¾
To add an instance of DARC
1
2
294
3
Select DARC from the drop-down list, then click Add New Connector. The
DARC Instance Configuration screen appears.
4
instance.
5
6
Select the interfaces on which you want DARC to listen. The interfaces
available on the machine running DARC are listed.
7
Retina Instance Configurations
To add an instance of Retina, you must have a licensed version of Retina.
Note: While you can select either Retina 4.9 or Retina 5.0 from the menu, you
should only select one version and install it on all your Assessment Servers. Do not
install different versions.
¾
To add an instance of Retina
1
2
295
3
Select Retina from the drop-down list, then click Add New Connector. The
Retina Instance Configuration screen appears.
4
instance.
5
6
7

Hostname/IP: Enter the hostname and IP on which Retain is running

Port: Enter the port on which Retain is listening
FoundScan Instance Configurations
To add an instance of FoundScan, you must have a licensed version of FoundScan.
FoundScan must also be configured correctly and running.
To configure FoundScan engines
1
Open your browser and point it at your Foundstone Portal.
2
Select Manage > Engines to display a list of engines.
Each of the systems listed can be tied into your Preventsys installation as a
connector instance.
3

Open the Foundstone Configuration Manager. For each Foundstone
system listed, select the FoundScan Engine, and ensure that it is running. If
it is not running, start it.
296

4
For each FoundScan Engine, log on to the server as an administrative user,
right-click My Computer, select Manage from the shortcut menu, doubleclick Services and Applications, double-click Services, right-click
Foundstone Service Proxy, then select Start from the shortcut menu.
Repeat steps 1-3 for each for each engine.
When finished, port 3800/tcp should be listening on each engine’s IP address.
This will ensure that the engines are configured for use with Preventsys.
¾
To add an instance of FoundScan
1
2
3
Select FoundScan from the drop-down list, then click Add New Connector.
The FoundScan Instance Configuration screen appears.
4
instance.
5
6

Hostname/IP: Enter the hostname and IP on which FoundScan is running

Port: Enter the port on which FoundScan is listening
297

Organization: The name of the organization associated with the
FoundScan account (this information must be created in FoundScan before
you can add it here)

User: Enter the username for the FoundScan account

Password: The password for the FoundScan account

Use SSL: Select Use SSL if your FoundScan instance is configured to use
encryption (See your FoundScan documentation for more information)

CA Public Cert: Enter the public cert including the header and footer. This
file will allow the Preventsys FoundScan Connector to authenticate the
identity of the FoundScan server

Trusted Cert (PEM): Enter a public certificate and its private key, including
headers and footers
Note: See About FoundScan Certificates (on page 298) for details about
obtaining certificates.
7
About FoundScan Certificates
Like Preventsys, FoundScan uses SSL and certificates to provide secure
communication with each of its components. In order to use Preventsys with
FoundScan, the Preventsys FoundScan instance configuration must be supplied with
certificates that are valid to your FoundScan installation. The procedure for obtaining
these certificates varies based on whether your FoundScan installation is using the
default certificates or if you have generated a new FoundScan Certificate Authority.
¾
To get a certificate if your FoundScan installation is using the
default certificates
1
Log on to the server running the FoundScan console.
2
Browse to the Configurations directory, which is located in the FoundScan
installation directory.
By default, this directory is c:\Program
Files\Foundstone\Configurations
3
Copy the files TrustedCA.pem and Portal.pem to a directory on your
computer.
4
On the FoundScan Instance Configuration screen, paste the contents of the
TrustedCA.pem file into the CA Public Cert text box, then paste the contents
of the Portal.pem file into the Trusted Cert (PEM) text box.
¾
To get a certificate if your FoundScan installation is using a
Certificate Authority that you generated
1
Contact McAfee Support for Foundstone, and request the Foundstone
Certificate Manager. This is a small application that allows you to generate a
certificate, which is compatible with the certificates installed on your FoundScan
installation.
2
Place the application on your FoundScan installation directory.
298
By default, this should be c:\Program Files\Foundstone.
3
Select Run from the Start Menu, then enter the pathname for the Foundscan
Certificate Manager.exe.
4
When the application starts, the Foundstone Certificate Management Tool
window appears.
Figure 63: Foundstone Certificate Management Tool
5
In the Create SSL Certificate For SOAP Open API section, for Host Address,
enter the IP address of the Assessment Server on which you will configure
FoundScan.
6
Click Resolve.
7
The hostname is displayed in the Common Name box. This may take a few
seconds.
If Unresolved is displayed instead, verify that you entered the correct address,
and check with your system administrator to verify that the Assessment
Server’s IP address resolves properly. The hostname must be displayed before
you continue to the next step.
8
Click Create Certificates.
9
Enter the location where you want to save the zip archive ThirdPartyAPISSL.zip.
This archive contains newly created certificates that are compatible with your
FoundScan installation’s certificates.
10 When the file has been saved, the certificate manager displays a fairly long
password in Your Passphrase: Copy this!.
Warning: Do not lose this password or you will have to generate your
certificates again.
299
11 Highlight the entire password, right click, then select Copy.
12 On the Windows taskbar, select Start > Run.
13 Type notepad in the Open box, then click OK.
14 Press Ctrl+v to paste the password into the Notepad window, then save the
contents to a file named ThirdPartyAPI-PW.txt.
15 Transfer the ThirdPartyAPI-SSL.zip and ThirdPartyAPI-PW.txt files
into a new directory on your Assessment Server.
16 Enter the following command to log on to the Assessment Server as root:
17 Type the following commands. This example uses the directory
/tmp/fscerts
cd /tmp/fscerts
unzip ThirdPartyAPI-SSL.zip
openssl rsa –in FoundstoneClientCertificate.pem –passin \
file:ThirdPartyAPI-PW.txt –out key.pem
openssl x509 –in FoundstoneClientCertificate.pem –out
cert.pem
cat key.pem cert.pem > PreventsysTrustedCertificate.pem
18 Copy the files PreventsysTrustedCertificate.pem and
FoundstoneCAPublicCertificate.pem to your computer
19 Type the following command to remove the FoundScan certificates from your
Assessment Server:
rm –rf /tmp/fscerts
20 Log off of the Assessment Server.
You now have the certificates necessary for the Preventsys’ FoundScan
instance configuration.
21 On the Preventsys FoundScan Instance Configuration screen, paste the
contents of the FoundstoneCAPublicCertificate.pem file into the CA
Public Cert box, then paste the contents of the
PreventsysTrustedCertificate.pem file into the Trusted Cert (PEM)
box.
ISS Internet Scanner Instance Configurations
Preventsys provides support for ISS SiteProtector assessment tool as a subordinate
network fact-collection module. The ISS SiteProtector instance must be controlling
one or more ISS Internet Scanner instances to collect vulnerability data and basic
facts about the hosts.
To add an instance of ISS Internet Scanner, you must also have a licensed version of
Internet Scanner.
¾
To add an instance of ISS Internet Scanner
1
300
2
3
Select Internet Scanner from the drop-down list, then click Add New
Connector. The ISS Internet Scanner Instance Configuration screen appears.
4
instance.
5
6
7

Hostname/IP: Enter the hostname and IP on which ISS Internet Scanner is
running

Port: Enter the port on which ISS Internet Scanner is listening

Scanner Instance: Enter the sensor instance name of the ISS Internet
Scanner
Support for one or more instances of ISS Internet Scanner 7.x as a standalone
assessment module independent of ISS SiteProtector is supported. This module
may be used instead of Nessus and Nmap, but does not provide data comparable to
the other plug-in modules.
The ISS Internet Scanner 7.0 connector is installed as a Windows service. By
default, this service will run as the default user. Following the installation of this
scanner, you must use the Services Control Panel to assign this service to a user
with sufficient security rights to use the ISS Internet Scanner 7.0 connector CLI
(enginemgr.exe - usually installed in
C:\ProgramFiles\ISS\ScannerConsole\EngineMgr.exe).
You can configure the Windows Service portion of ISS Internet Scanner by
manipulating various Registry Keys/Values on the Windows system where the
Preventsys ISS Internet Scanner module is installed. These include:
301

HKEY_LOCAL_MACHINES\SOFTWARE\Preventsys, Inc.\ISS7\Port
This specified registry value (REG_DWORD) accepts a number (0-65535). This
will be the port on which the ISS Internet Scanner 7.0 listens for connections. If
this value is 0 or non-existent, a random port will be used. Note: This setting
may be useful when routing through firewalls, and so on.

HKEY_LOCAL_MACHINES\SOFTWARE\Preventsys, Inc.\ISS7\dsn
This specified registry value (REG_SZ) identifies the database that ISS Internet
Scanner 7.0 is using for storage of results. This should match the Data Source
specified under Tools->Database Administration in the ISS Internet Scanner
console.
ISS SiteProtector Instance Configurations
Preventsys provides support for the ISS SiteProtector assessment tool as a
subordinate network fact-collection module. The ISS SiteProtector instance must be
controlling one or more ISS Internet Scanner 7.x instances. ISS SiteProtector can be
used in addition to or instead of the Nessus/Nmap modules but does not provide
comparable data.
To add an instance of SiteProtector, you must also have a licensed version of
SiteProtector and its sub-components.
¾
To add an instance of SiteProtector
1
2
3
Select SiteProtector from the drop-down list, then click Add New Connector.
The SiteProtector Instance Configuration screen appears.
4
instance.
302
5
6
7

Database username: Enter the username for the SiteProtector database

Database password: Enter the password for the SiteProtector database

Database address: Enter the address for the SiteProtector database

Database port: Enter the port on which the SiteProtector database is
listening

Internet scanner instance: Enter the name for the Internet Scanner
sensor instance

SP Control WSM address: Enter the WSM address for the SiteProtector
control

SP Control WSM port: Enter the WSM port on which the SiteProtector
control instance is listening
MBSA Instance Configurations
To add an instance of MBSA, you must have a licensed version of MBSA.
¾
To add an instance of MBSA
1
2
3
Select MBSA from the drop-down list, then click Add New Connector. The
MBSA Instance Configuration screen appears.
303
4
instance.
5
6
7

Hostname/IP: Enter the hostname and IP on which MBSA is running

Port: Enter the port on which MBSA is listening

Run MBSA as User: Enter the credentials of an MBSA Administrator
account. When MBSA scans, it will adjust its privilege level to that of this
account for the duration of the scan.

Run MBSA as Password: Enter the credentials of an MBSA Administrator
account. When MBSA scans, it will adjust its privilege level to that of this
account for the duration of the scan.
Nessus Instance Configurations
The Nessus assessment tool provides vulnerability detection and network-based
auditing checks; uses Nmap plug-in as well as its own database of plug-ins to collect
vulnerability data and basic facts about the hosts, their operating systems, exposed
services and default configurations for advanced reporting and policy compliance
analysis by the Enterprise Security Manager Server.
¾
To add an instance of Nessus
1
2
304
3
Select Nessus from the drop-down list, then click Add New Connector. The
Nessus Instance Configuration screen appears.
4
instance.
5
6
7

Nessus username: Enter the username for Nessus

Nessus password: Enter the password for Nessus

Nessus IP: Enter the IP to which Nessus is bound

Nessus Port: Enter the port on which Nessus is listening
Nessus Certificate-Based Authentication Mode
The Nessus connector supports Nessus' certificate-based authentication mode. This
authentication mode allows clients (such as the Preventsys Nessus connector) to
communicate with the Nessus server with a specially generated certificate rather
than specifying a password. This mode also allows the client to validate the identity
of the Nessus server, thus protecting the client against man-in-the-middle attacks.
305
¾
To utilize authentication mode
1
Create at least one user with certificate-based authentication (see the Nessus
documentation at http://www.Nessus.org for details). Note that in the Nessus
2.x and 3.0.x series, the nessus-mkcert-client program is used to generate these
users.
2
After creating the certificates, Nessus will specify the directory where the
certificates were written. You will need the cert_nessuswx_username.pem
file (where username is the username specified when creating the
certificate/certificates) as well as the cacert.pem file from the Nessus com
directory (for example, /opt/nessus/com/nessus/CA/cacert.pem).
3
Copy the CA and each of the cert_nessuswx_username.pem certificates to
your local disk.
¾
To configure a certificate-based authentication Nessus account
1
On the Nessus Instance Configuration screen, enter the address and port of the
Nessus instance.
2
Enter the username of the account with certificate-based authentication.
3
Instead of specifying a password, select Certificate Authentication.
4
In the Trusted Cert (PEM) text box, paste in the contents of the
cert_nessuswx_username.pem certificate
5
In the Nessus CA Cert text box, paste in the contents of the cacert.pem
certificate.
6
¾
To configure a password-based Nessus account
1
On the Nessus Instance Configuration screen, enter the address and port of the
Nessus instance.
2
Enter the username and password.
3
Deselect Certificate Authentication.
4
Delete all text in the Trusted Cert (PEM) and Nessus CA Cert text boxes.
5
Network Architecture Assessor Instance Configurations
The Preventsys Network Architecture Assessor (NAA) assessment tool is used to
test gateway device routing and filtering rules (for example, firewalls and routers) and
collects data for comprehensive perimeter policy checks.
P2P Assessment is built in as part of the Network Architecture Assessor
configuration, and is used to test the perimeter defense devices (routers and
firewalls) for the possibility of rogue P2P protocols such as Kazaa, Direct Connect
and Bittorrent). You will need the policies that contain rules associated with these to
view the results. Refer to Preventsys Policy and Regulatory Guide for details.
306
¾
To add an instance of Network Architecture Assessor
1
2
3
Select Network Architecture Assessor from the drop-down list, then click Add
New Connector. The Network Architecture Assessor Instance Configuration
screen appears.
4
instance.
5
6
Enter the following for each NAA Slave accessible by this NAA:
7

Slave Name: The name of the NAA slave accessible by this NAA.

Slave IP: The IP of the NAA slave accessible by this NAA.

Slave Netmask: The netmask of the NAA slave accessible by this NAA.

Slave Port: The port of the NAA slave accessible by this NAA Firewall IP The firewall IP of the NAA slave accessible by this NAA.

Firewall IP: The IP of the firewall this salve will be used to test.

NAT Network: The Network Address Translation (NAT) network if the
source IP of packets sent to this slave will implement NAT. Otherwise,
leave blank.

NAT Netmask: The NAT netmask if the source IP of packets sent to this
slave will implement NAT. Otherwise, leave blank.
307
Nmap Instance Configurations
The Nmap assessment tool provides network discovery, OS fingerprinting, and port
scanning. Nmap has no instance configuration parameters.
¾
To add an instance of Namp
1
2
3
Select Nmap from the drop-down list, then click Add New Connector. The
Nmap Instance Configuration screen appears.
4
instance.
5
6
ScanAlert Instance Configurations
The ScanAlert assessment tool is a hosted scan service and can therefore only scan
internet-accessible (public) hosts.
¾
To add an instance of ScanAlert
1
2
308
3
Select ScanAlert from the drop-down list, then click Add New Connector. The
ScanAlert Instance Configuration screen appears.
4
instance.
5
6
7

ScanAlert User: Enter the ScanAlert user name

Scan Alert password: Enter the ScanAlert password

Proxy Hostname/IP: If your outgoing web connections needs to be routed
through a web proxy, enter the hostname and IP on which the ScanAlert
proxy is running

Port: If your outgoing web connections needs to be routed through a web
proxy, enter the port on which ScanAlert proxy is listening

Proxy Username: If your outgoing web connections needs to be routed
through a web proxy, enter the username for the ScanAlert proxy

Password: If your outgoing web connections needs to be routed through a
web proxy, enter the ScanAlert password

Proxy Auth Type: If your outgoing web connections needs to be routed
through a web proxy, select the ScanAlert proxy auth type
Windows Registry Instance Configurations
The Preventsys Windows Registry (WinReg) assessment tool provides support for
remote assessment of the Windows Registry in Windows Domains, which allows for
policy analysis, based on the existence, non-existence, and values of Windows
Registry key entries for Windows environment specific policies.
309
¾
To add an instance of WinReg
1
2
3
Select WinReg from the drop-down list, then click Add New Connector. The
WinReg Instance Configuration screen appears.
4
instance.
5
6
7

Hostname/IP: Enter the hostname and IP on which WinReg is running

Port: Enter the port on which WinReg is listening
Installation and Configuration
The Preventsys Windows Registry Installer will install this Windows scan module as
a Windows service. It can be installed and run on Windows 2000 Professional
(regular), Microsoft Windows NT 4.0, Microsoft Windows 2000 Server, Windows XP
(pre-SP2), and Microsoft 2003 Server Standard Edition.
By default, this service will run as the default user. Following the installation of this
scanner, you must use the Services Control Panel to assign this service to a user
with sufficient access to activate this remote service. This process is explained later
in this chapter.
Note that prior to installation all Preventsys component system clocks must be
properly set and configured to the desired time zone. Moreover, all Preventsys
component system clocks must be synchronized to the same time in order to ensure
a successful installation.
310
Next, you must access the Services Control Panel and change the user assignment
for the new Windows Registry Scanner service to ensure that this service will be run
by a user with sufficient access to read remote system registries.
You can configure the Windows Service portion of the Registry Scanner by
manipulating various Registry Keys/Values on the Windows system where the
Windows Registry Scanner was installed. These include:

HKEY_LOCAL_MACHINES\SOFTWARE\Preventsys, Inc.\ISS7\Port

This specified registry value (REG_DWORD) accepts a number (0-65535). This
will be the port on which the ISS Internet Scanner 7.0 listens for connections. If
this value is 0 or non-existent, a random port will be used. Note: This setting
may be useful when routing through firewalls, and so on

HKEY_LOCAL_MACHINES\SOFTWARE\Preventsys, Inc.\ISS7\dsn

This specified registry value (REG_SZ) identifies the database that ISS Internet
Scanner 7.0 is using for storage of results. This should match the Data Source
specified under Tools->Database Administration in the ISS Internet Scanner
console.
QualysGuard Instance Configurations
The QualysGuard assessment tool is a web-based network discovery/vulnerability
detection application, which can work in conjunction with an intranet scanner
appliance located inside your firewall. To add an instance of QualysGuard, you must
have a license for QualysGuard and a Qualys account.
¾
To add an instance of QualysGuard
1
2
3
Select QualysGuard from the drop-down list, then click Add New Connector.
The QualysGuard Instance Configuration screen appears.
311
4
instance.
5
6
7

Qualys username: Enter the Qualys username

Qualys password: Enter the Qualys password

Appliance name: Enter the appliance name for QualysGuard

Batch size for pause simulation: Enter the number of hosts to break up
into chunks and therefore scan those chunks serially. This field is required
because Qualys does not include native pause and resume in their API.
Preventsys must therefore simulate pause/resume with Qualys, so that in
the case of a requested pause, only the chunk being scanned needs to be
rescanned. The number equals the size of those chunks, with 0 meaning
scan all IPs in one Qualys scan.

Enable proxy: Select if you want to use a proxy. Also enter the proxy's
host, port, and, if required, username and password.

Proxy Auth Type: If you selected Enable Proxy, also select the type of
proxy authentication you want. Some proxy servers are incompatible with
the Any setting. Therefore, it is better to select the specific authentication
protocol supported by your proxy server.
312
Appendix B
Connector Configurations
A connector configuration is a set of parameters that controls the behavior of a
particular assessment tool supported by the Preventsys Assessment Server during
an assessment. A popular parameter defined in a connector configuration is the set
of tests or checks to run during an assessment. Unlike an Instance Configuration, a
Connector Configuration can be applied to any defined instance of the same
assessment tool. For example, if the same assessment tool was installed in three
different locations, a single Connector Configuration can be applied to each of these
installations.
This section presents connector-specific information about the connectors supported
by Preventsys. For steps about adding connector configurations, see Adding a
Connector Configuration (on page 131).
Updating Scanner Plugins
Use the tools provide with the individual connectors to update their associated
plugins. For example, use the update plugin script provide by Nessus.
313
AlterPoint Connector Configurations
¾
To add an AlterPoint connector configuration
1
From the Preventsys menu, select Assessments > Connector Configurations.
2
Select the Add New Configurations tab, then select AlterPoint from the dropdown list. The AlterPoint Connector Configuration screen appears.
3
4

Scan to Import: Select the saved AlterPoint scan that you want to import

Device Type: Select the device type which you want to filter the relevant
results.

Vendor: Select the vendor which you want to filter the relevant results.
314
AppDetective Connector Configurations
¾
To add an AppDetective connector configuration
1
2
Select the Add New Configurations tab, then select AppDetective from the
drop-down list. The AppDetective Connector Configuration screen appears.
3
Enter the requested information. For details about the options displayed, please
refer to your AppDetective documentation.

SIDs for Oracle 10g: AppDetective's Application Discovery scan is
normally able to detect the system identifiers (SID) for any Oracle database.
However, AppDetective is unable to detect the SIDs for Oracle 10g
databases. Therefore, to scan Oracle 10g databases, the SIDs must be
manually entered.
To add an Oracle 10g SID, select Insert under the SIDs for Oracle 10g
section, then enter the SID in the field provided. To delete an SID, click
Delete for the desired SID.

Discovering applications on nonstandard port ranges: AppDetective is
configured with the default ports of each of the applications it supports.
However, if one or more of your applications are running on nonstandard
ports, there is an option to override AppDetective's range and to enter the
range yourself. It is important that you do not make the port range too large
by including more than 100 ports if possible. AppDetective's Application
Discovery scanner might take a long time for large numbers of ports.
315
To specify a custom port range, select Discover Applications on
Nonstandard Ports. Then enter the custom port range in Custom
Discovery Port Range field. Note that a valid port range is made up of one
or more ranges or single ports, separated by commas, with no spaces. For
example, to include the ports 1200, 1202, 1203, 1204, 1205, 1207 and 1208
in the Application Discovery scan, you can enter the range: 1200,12021205,1207-1208
4
Note: If your AppDetective license is exceeded during an assessment, the
AppDetective scan will fail with the message, “The AppDetective scan failed due to
an unspecified error, which is often a result of a license violation. Please verify that
the IP:Port is included in your license".
Configuresoft Connector Configurations
¾
To add a Configuresoft connector configuration
1
2
Select the Add New Configurations tab, then select Configuresoft from the
drop-down list. The AppDetective Connector Configuration screen appears. The
Configuresoft Connector Configuration screen appears.
3
4

Select a Template Set: Select a saved Configuresoft Template Set to
import.

Select a Machine Group: Select a group of machines that have had the
template set applied to them for import.
316
FoundScan Connector Configurations
¾
To add a FoundScan connector configuration
1
2
Select the Add New Configurations tab, then select FoundScan from the
drop-down list. The FoundScan Connector Configuration screen appears.
3
refer to your FoundScan documentation.
4
317
ISS Internet Scanner Connector Configurations
¾
To add an ISS Internet Scanner connector configuration
1
2
Select the Add New Configurations tab, then select ISS Internet Scanner
from the drop-down list. The ISS Internet Scanner Connector Configuration
screen appears.
3
refer to your ISS Internet Scanner documentation.
4
318
ISS SiteProtector Connector Configurations
¾
To add an ISS SiteProtector connector configuration
1
2
Select the Add New Configurations tab, then select ISS SiteProtector from
the drop-down list. The SiteProtector Connector Configuration screen appears.
3
refer to your ISS SiteProtector documentation.
4
MBSA Connector Configurations
On the Microsoft Baseline Security Analyzer (MBSA) Connector Configuration
screen, the domain administrator username and password fields allow you to specify
the credentials for the domain administrator of your target systems. These will be
used if MBSA is being run on a machine in one domain, and you wanted to scan
machines in another domain. For example, if MBSA is running on a machine not in
the POLCAP domain, you can scan machines in the POLCAP domain by adding
POLCAP\Administrator as the user, and the matching password.
¾
To add an MBSA connector configuration
1
319
2
Select the Add New Configurations tab, then select MBSA from the dropdown list. The MBSA Connector Configuration screen appears.
3
refer to your MBSA documentation.
Note: When MBSA is run from its GUI outside of Preventsys, you can select a
range of IPs or a Domain to scan. This will produce one file per machine
scanned, which Preventsys will aggregate.
4
Note: MBSA v2.0 services requires that it run as the local Administrator
(./Administrator). When configuring an assessment you must enter the Username
and Password for an MBSA domain administrator to run a successful assessment
(for example, DOMAIN\ADMINISTRATOR). If these credentials are not correct or not
supplied, the assessment will fail with the message, “Assessment Failed: ID: 1 Scan Connector Microsoft Baseline Security Analyzer: Protocol error (120 / START)
got (320/User ID or Password not Supplied)”.
Nessus Connector Configurations
The Nessus Connector Configuration screen presents all Nessus scanner options
organized under tabs. Note that Preventsys provides default settings that you can
use or edit the configuration as desired.
¾
To add a Nessus connector configuration
1
320
2
Select the Add New Configurations tab, then select Nessus from the dropdown list. The Nessus Connector Configuration screen appears.
The Nessus connector configuration is displayed in tabs. The first tab lists every
Nessus test broken into categories, spread across multiple tabs. The second tab
contains preferences, many of which are specific to the tests on the first tab.
Therefore, if a test with an associated set of preferences is disabled, those
preferences will be read-only. By default, all dangerous tests are disabled and
displayed in red, along with a few tests deemed to be redundant by Preventsys.
Note that a test is considered dangerous if the author of that test has placed it in
one of four dangerous categories: ACT_DENIAL, ACT_KILL_HOST,
ACT_FLOOD, and ACT_DESTRUCTIVE_ATTACK. The category of a given NASL
script can be determined by opening it and looking for its script_category line.
Each category of tests has a set of buttons (All, Default, and None), which will
enable all tests in the category, set the category's tests to their default state, or
disable all tests in the category, respectively.
3
Enter a connector configuration name. This name will not be editable after you
leave this tab.
4
refer to your Nessus documentation. You can also find information at
http://www.nessus.org.
5
Nessus 3.02 and 2.2.7 Port Scanner Selection
Starting with Nessus 3.02 and 2.2.7, the Nmap plugin is no longer included in Nessus
distributions. The Preventsys Nessus connector defaults to the built-in Nessus TCP
scanner. Note that this default is only applied if the Nmap plugin is not available, and
is only applicable to the default values in a Nessus connector configuration.
Therefore, older, existing Nessus connector configurations might need to be
manually edited to change the selected port scanner. Almost every Nessus plugin
relies on the information returned by the port scanner(s) to determine whether the
plugin should run. Therefore, failure to make this configuration change can result in
severely reduced assessment coverage.
321
To add a different port scanner to your Nessus connector configuration manually, go
to the Edit Connector Configuration screen for the desired connector configuration.
On the first page under Port Scanners, select Nessus TCP scanner, SYN Scan, or
both.
This issue only occurs when Nessus is updated to 3.02 (in the 3.x branch), or 2.2.7
(in the Open Source / 2.2.x branch). The Nessus automated plugin updater will not
cause this problem. In addition, you can continue to use Nmap by manually backing
up the nmap.nasl plugin, or by downloading it from the Nessus.org website. For
more information on this change, including an explanation of why this plugin was
removed, refer to the official Nmap statement at:
http://www.nessus.org/documentation/index.php?doc=nmap-usage
Network Architecture Assessor Connector Configurations
¾
To add a Network Architecture Assessor connector configuration
1
2
Select the Add New Configurations tab, then select Network Architecture
Assessor from the drop-down list. The Network Architecture Assessor
Connector Configuration screen appears.
3
4

Select the Slaves to Test: Select the salves you want tested

Select the Rules to Use: Select the rules you want to test with

Network Architecture Assessor Custom Rules Entry: Enter custom rules
(see Adding Custom NAA Rules (on page 323) for details)
322
NAA Default Tests
NAA performs the following tests by default:

rfc1918-192.168: A TCP/IP packet with a source in the RFC 1918 address block
of 192.168/16 was able to be sent through the firewall.

rfc1918-10: A TCP/IP packet with a source in the RFC 1918 address block of
10.0.0.0/8 was able to be sent through the firewall

rfc1918-172.16: A TCP/IP packet with a source in the RFC 1918 address block
of 172.16/12 was able to be sent through the firewall.

ipzero: A TCP/IP packet with a source address of 0.0.0.0 was able to be sent
through the firewall.

localhost-tcp: A TCP/IP packet with a source address of 127.0.0.1 was able to
be sent through the firewall.

localhost-udp: A UDP packet with a source address of 127.0.0.1 was able to
be sent through the firewall.

src53-echo: A UDP packet with a source port of 53 was able to be sent through
the firewall to the echo port.

src53-ssh: A TCP packet with a source port of 53 was able to be sent through
the firewall to the SSH port.

icmp-echoreq: An ICMP echo request packet was able to be sent inward

icmp-echorep: An ICMP echo reply packet was able to be sent outward

udp-broadcast: A broadcast packet was able to be sent inward through your
firewall.

src-routing: A source routed packet was able to be sent inward from a packet
thrower.
P2P Assessment
NAA can also do P2P assessments that test perimeter defense devices (routers and
firewalls) for the possibility of the following rogue P2P protocols:

P2P - Bittorrent traffic

P2P - Direct Connection (DC) traffic

P2P - Kazaa traffic
You will need to select the policies that contain the rules associated with these
protocols when creating your assessment configuration. Refer to Preventsys Policy
Reference Guide for details about these rules.
Adding Custom NAA Rules
NAA can get its rule data from two different sources: from rules entered into the
NAA Custom Rules field in the UI or from rule files you upload to the AS. If you use
the second method, you will need to upload your rules to every AS. In addition, once
they've been uploaded anyone can use them, which may not be desirable.
323
By contrast however, you to paste the contents of your rule files (referred to as
rulesets) into the NAA Custom Rules field on the NAA Connector Configuration
screen. Custom NAA rulesets are XML documents that contain tests for the NAA.
Each document consists of one or more rules, each of which describes a particular
packet to send through a firewall. Basically, each packet you configure should be
blocked by the firewall, so that any packet that passes the firewall would be
considered a failure.
NAA Custom Rulesets File Layout
The following is the general format of a rule-set document. Each rule has a
description associated with it. If a given rule is able to be sent through the firewall
being tested, that rule's description will be used in the results.
<naarules>
<naarule …XML attributes …>description for rule #1</naarule>
<naarule … XML attributes …>description for rule #2</naarule>
…
<naarule … XML attributes …>description for rule #n</naarule>
</naarules>
NAA Rule Attributes
Each Network Architecture Assessor rule defines a specific packet type that will be
sent either outward (from the master to the slave) or inward (from the slave to the
master). The following table lists the attributes for NAA rules.
NAA Rule Attributes
Attribute
saddr
Required
Description
Yes
Sets the direction of the packet for this test. The
valid values for this attribute are out (sent from slave
to master), in (sent from master to slave) and both
(the same thing as making two identical rules; one
out, one in).
Yes
Sets the source IP address of the packet. This
attribute must be specified in one of three forms:
An IP address (for example, 10.4.3.2)
An IP address range, given in either CIDR form (
192.168.0.0/16) or netmask form
(192.168.0.0:255.255.0.0)
A symbolic address: either srcaddr (the address of
the host sending the packet), srcbcast (the broadcast
address of the host sending the packet), destaddr
(the address of the host the packet is being sent to),
or destbcast (the broadcast address of the host the
packet is being sent to).
Note: In the case of the range format addresses, a
random address is selected at assessment time.
324
Attribute
Required
Description
daddr
Yes
Same format as the saddr attribute
sport
Yes
Sets the source port of the packet. This attribute
must be specified in one of two forms: a port (for
example, 12345) or a range of ports (for example,
1024-65535). In the case of the range format ports, a
random port is selected at assessment time.
dport
Yes
Same format as the sport attribute
proto
Yes
A string specifying the protocol of the packet. The
three acceptable values are tcp (for TCP/IP packets),
udp (for UDP packets) and icmp (for ICMP packets).
flags
No (except
for ICMP)
One or more comma-delimited strings that configure
the packet.
severity
Yes
Sets the severity of the rule, from 0-90.
id
Yes
A string specifying an identifier that will be given in
the results if the packet described by this rule is able
to pass through the firewall being tested.
NAA Rule Flags
As explained in the NAA Rule Attributes section, the flags attribute may contain one
or more comma-delimited strings. Each of these strings is protocol-specific, and
they alter the behavior of the packet. The following is a list of the possible flags,
along with the protocol the flag is specific to, and a description of its behavior.
NAA Rule Flags
Flag
Protocol
Description
syn
TCP
Sets the SYN flag of the TCP/IP packet
ack
TCP
Sets the ACK flag of the TCP/IP packet
psh
TCP
Sets the PSH flag of the TCP/IP packet
urg
TCP
Sets the URG flag of the TCP/IP packet
rst
TCP
Sets the RST flag of the TCP/IP packet
fin
TCP
Sets the FIN flag of the TCP/IP packet
srcrt
TCP
Adds the source route option to the TCP/IP packet. The
firewall address is specified as one of the required
routes.
echoreq
ICMP
Makes an ICMP echo request.packet
echorep
ICMP
Makes an ICMP echo reply packet
325
Uploading Custom Rules
As mentioned previously you can upload custom NAA rules to an assessment server.
The file must have the form name name_naa.xml (where name is a unique identifier
describing what the rules tests). Put the file in the following directory on each
assessment server:
/usr/local/preventsys/ASComponents/share/audserv/netarch/
Nmap Connector Configurations
¾
To add an Nmap connector configuration
1
2
Select the Add New Configurations tab, then select Nmap from the dropdown list. The Nmap Connector Configuration screen appears.
3
refer to your Nmap documentation.
4
326
QualysGuard Connector Configurations
¾
To add a QualysGuard connector configuration
1
2
Select the Add New Configurations tab, then select QualysGuard from the
drop-down list. The QualysGuard Connector Configuration screen appears.
3
refer to your QualysGuard documentation.
4
Note: The Qualys Account must be activated on the Qualys website prior to
attempting an assessment with it.
327
Retina Connector Configurations
¾
To add a Retina connector configuration
1
2
Select the Add New Configurations tab, then select Retina from the dropdown list. The Retina Connector Configuration screen appears.
3
refer to your Retina documentation.
4
Note: When upgrading to Retina 5.0, existing assessment configurations that have a
previous version of eEye Retina selected must be recreated and the new version
selected. Simply editing the assessment configuration or using the copy existing
function is not recommended.
328
ScanAlert Connector Configurations
¾
To add a ScanAlert connector configuration
1
2
Select the Add New Configurations tab, then select ScanAlert from the dropdown list. The ScanAlert Connector Configuration screen appears.
3
refer to your ScanAlert documentation.
4
WinReg Connector Configurations
Note: If a Linux/Unix host is running SAMBA, the WinReg scanner will think it is a
Windows host and attempt to run a complete scan against it. Note that the purpose
of running SAMBA is to make other windows boxes think the Linux box is also a
Windows box, and allow it to share in Windows file system type activities.
¾
To add a WinReg connector configuration
1
329
2
Select the Add New Configurations tab, then select WinReg from the dropdown list. The WinReg Connector Configuration screen appears.
3

Authentication (Username and Password): Enter the usernames and
passwords for the local and domain administrator accounts you want used.
When the Windows Registry scanner attempts to acquire a registry key
from a target, it will present the credentials from each of the accounts you
specified, in addition to the account specified at WSM install time. If no
accounts are specified, WinReg will only attempt to acquire the remote
keys with the credentials specified at WSM install time.

Registry Keys to Acquire: Enter the specific registry keys that you want
tested. Each Registry key must be entered on a separate line. For
example, to test two registry keys, simply enter the first key into the text
box, press Enter, then enter the second key on the next line. Note that
wildcard entries for registration keys can return large amounts of data that
might slow down or exhaust the memory of the Assessment Server and
Management Server.

Registry Key Wildcards: The following wildcard entries may be used
when entering registration keys:
* An asterisk alone at the end of a key entry will return all values under the
specified key but will not recurse subkeys. For example,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentV
ersion\* will return all values under CurrentVersion but will not recurse
into subkeys like Credentials.
** A pair of asterisks at the end of a key will return all values under the
specified key and will recurse into subkeys. Note that this wildcard can
return LARGE amounts of data.
* Asterisks are also supported as intermediate keys. For example,
HKEY_USERS\*\Environment\TEMP will return the TEMP directory
setting for each user registered on the scanned machine.
330
Additionally, since \ is a legal character in a value name, if you wish to read
the value data of a value named test\val under registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft, you must escape the \
by doubling it. For example,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\test\\val
Note: Assessments that utilize the Preventsys Remote Windows Registry
Scanner v1.0 without specifying Registry keys, will still acquire the OSDetect
data described previously. This data may be utilized by the Registry-specific
rules described later in this section.
4
Windows-Based Rules
The following standard, Windows-specific rules may be used to interface with
WinReg:

Minimum Password Length Rule

Rule Name: Win_Reg_Prohibited_Software--Template

Rule Description: All windows registry keys that represent specific
applications found in this rule will trigger a violation. By default, keys for
Kazaa, AIM, and MSN Messenger are provided.

This is a template rule. To use this rule, the XML element
<prohibited_software> should be configured with the registry keys of
software applications that are prohibited by corporate policy.
Require Alpha-Numeric Passwords Rule

Rule Name: Win_Reg_Ctrl_Alt_Del_Logon

Rule Description: Pressing CTRL-ALT-DEL to get to the initial logon screen
is required on Windows 2000 and Windows XP hosts.
Automatic Logon to Windows Ruleplay

Rule Name: Win_Reg_Auto_Logon

Rule Description: Automatic Logon is allowed on this host.

This rule checks to see if automatic logon to the windows machine occurs.
It reports a violation if it does.
Windows Last Logon Rule

Rule Name: Win_Reg_Last_Logon

Rule Description: This host shows the previous user that logged on.

This rule checks to see if the last username that logged into the system is
displayed whenever someone logs in. It reports a violation if it does.
Logon Banner Rule

Rule Name: Win_Reg_Logon_Banner-Template

Rule Description: All Windows Logon Banners must conform to a company
banner.
331
Appendix C
Assessment Import Configurations
Externally gathered assessment data can be imported into Preventsys using the
assessment import functionality. See Importing External Assessment Data (on page
151) for details. This section presents information about the assessment tools
supported by Preventsys and how you import data from each of them. See
Understanding Import Sources and Types (on page 151) for details about the
differences between file and scan imports.
File Imports
This section presents the different types of import screens displayed for file imports.
See Understanding Import Sources and Types (on page 151) for details about filesource imports.
Preventsys XML
¾
To import a Preventsys XML file
1
2
3
4
Enter an override date and select Merge with Latest Data if desired. See
Specifying an Override Date (on page 154) and How Imported Data is Merged
and Analyzed (on page 155) for details.
332
5
On the Type drop-down list, select Preventsys XML. The Preventsys File
Import screen appears.
6
Enter the path of the xml file you want to import.
7
To import the file, click Submit.
Generic XML
¾
To import a Generic XML file
1
2
3
4
333
5
On the Type drop-down list, select Generic XML. The Generic File Import
screen appears.
6
Enter the path of the xml file you want to import.
7
Enter the path of the xsl transform you want used.
8
AppDetective XML
¾
To import an AppDetective XML file
1
2
3
4
334
5
On the Type drop-down list, select either AppDetective XML (Single
Application) or AppDetective XML (Single Session). The associated
AppDetective File Import screen appears.
Figure 64: AppDetective XML (Single Application) File Import
Figure 65: AppDetective XML (Single Session) File Import
6
Enter the path of the file you want to import.
7
335
AppScan XML
¾
To import an AppScan XML file
1
2
3
4
5
On the Type drop-down list, select either the AppScan 5 XML or AppScan 6
XML. The associated AppScan File Import screen appears.
Figure 66: AppScan 6 XML File Import
336
Figure 67: AppScan 5 XML File Import
6
7
FoundScan XML
¾
To import a FoundScan XML file
1
2
3
4
337
5
On the Type drop-down list, select FoundScan Risk Data XML or FoundScan
Risk & Host Data XMLs. The associated FoundScan File Import screen
appears.
Figure 68: FoundScan Risk Data XML File Import
Figure 69: FoundScan Host Data and Risk Data XML File Import
6
Enter the path of the risk data file or the risk and host data results files you want
to import.
7
338
MBSA XML
¾
To import an MBSA XML file
1
2
3
4
5
On the Type drop-down list, select MBSA XML/Zip. The MBSA XML/Zip File
6
7
If you want to import a zip file, you must also enter the password for the zip file.
8
nCircle XML
¾
To import an nCircle XML file
1
2
339
3
4
5
On the Type drop-down list, select nCircle XML. The nCircle File Import screen
appears.
6
7
Nessus XML
¾
To import an Nessus XML or NSR file
1
2
3
4
340
5
On the Type drop-down list, select Nessus XML or Nessus NSR. The
associated Nessus File Import screen appears.
Figure 70: Nessus XML File Import
Figure 71: Nessus NSR File Import
6
7
341
NeXpose XML
¾
To import a NeXpose XML file
1
2
3
4
5
On the Type drop-down list, select NeXpose XML. The NeXpose File Import
screen appears.
6
7
NGSSquirreL for Oracle XML
¾
To import an NGSSquirrel for Oracle
1
2
3
342
4
5
On the Type drop-down list, select NGSSquirrel for Oracle XML. The
NGSSquirrel for Oracle File Import screen appears.
6
7
NGSSquirreL for SQL Server XML
¾
To import an NGSSquirreL for SQL Server XML file
1
2
3
4
343
5
On the Type drop-down list, select NGSSquirrel for SQL Server XML. The
NGSSquirrel for SQL Server File Import screen appears.
6
7
Nmap XML
¾
To import an Nmap XML file
1
2
3
4
344
5
On the Type drop-down list, select Nmap XML. The Nmap File Import screen
appears.
6
7
To save the file, click Submit.
QualysGuard XML
¾
To import a QualysGuard XML file
1
2
3
4
345
5
On the Type drop-down list, select QualysGuard XML. The QualysGuard File
6
7
Scan Imports
This section presents the different types of import screens displayed for scan
imports. See Understanding Import Sources and Types (on page 151) for details
about scan imports.
AlterPoint
¾
To import an AlterPoint scan
1
2
3
4
346
5
On the Type drop-down list, select AlterPoint. The AlterPoint File Import
screen appears.
6
Select the scan you want to import.
7
Optionally, the results may also be filtered based on Device Type and Vendor,
which will limit the results to those matching the criteria defined in these two
lists.
8
To import the scan, click Submit.
AppDetective
¾
To import an AppDetective scan
1
2
3
4
347
5
On the Type drop-down list, select AppDetective. The AppDetective File
6
7
Configuresoft
¾
To import a Configuresoft scan
1
2
3
4
348
5
On the Type drop-down list, select Configuresoft. The Configuresoft File
6
7
Note: The Configuresoft scan import will fail if there is no overlap between the
Template Set and the Machine Group selections made on the Connector
Configuration screen. The message, “Start Scan Failed” will be displayed if the
connector cannot find results with both the Template Set and Machine Group. The
user responsible for the Configuresoft scanner should know these combinations.
You can also look at the Configuresoft Scan Import screen to see a list of results with
Template Sets and Machine Groups that overlap.
FoundScan
¾
To import a FoundScan scan
1
2
3
4
349
5
On the Type drop-down list, select FoundScan. The FoundScan File Import
screen appears.
6
7
ISS SiteProtector
¾
To import a SiteProtector scan
1
2
3
4
350
5
On the Type drop-down list, select SiteProtector. The SiteProtector File Import
screen appears.
6
Select the scan you want to import or enter the SiteProtector Job ID or the
Internet Scanner Job ID and Sensor Name for the scan you want to import.
7
QualysGuard
¾
To import a QualysGuard scan
1
2
3
4
351
5
On the Type drop-down list, select QualysGuard. The QualysGuard File Import
screen appears.
6
7
Retina
¾
To import a Retina scan
1
2
3
4
352
5
On the Type drop-down list, select Retina. The Retina File Import screen
appears.
6
7
ScanAlert
¾
To import a ScanAlert scan
1
2
3
4
353
5
On the Type drop-down list, select ScanAlert. The ScanAlert File Import screen
appears.
6
7
354
Appendix D
Sample XML/Schema for Asset and Network
Import
This section presents sample XML and schema for asset and network import data.
Sample XML for Network Data Imports
<?xml version="1.0" encoding="UTF-8"?>
<network_data error_policy="ignore">
<network name="netNUM" type="STATIC" financial_impact = "2"
operational_impact = "205">
<IPs>
<IP>10.5.1.2</IP>
<IP>10.1.1.1-10.1.1.2</IP>
</IPs>
<child_networks>
<child_network>netNum2</child_network>
<child_network>netNum3</child_network>
</child_networks>
<netgroups>
< netgroup>netgroupA</netgroup>
</netgroups>
<usergroups>
<usergroup>groupA</usergroup>
</usergroups>
</network>
<network operation="update" name="netNUM2" type="DYNAMIC"
financial_impact ="2" operational_impact ="205">
<usergroups>
<usergroup>groupB</usergroup>
<usergroup>groupC</usergroup>
</usergroups>
</network>
<network operation="delete" name="netNUM3"/>
355
Sample XML/Schema for Asset and Network Import
Sample XML for Asset Data Imports
<asset_data error_policy="ignore">
<asset name="host1" unique_id="10.0.0.1" os=”linux”
IP="10.0.0.1" description="this is a demo asset"
financial_impact="1000" operational_impact="2000">
<host_properties>
<host_property>host_prop1</host_property>
</host_properties>
</asset>
<asset name="host2" unique_id="10.0.0.2" os=”windows”
IP="10.0.0.2" description="this is another demo asset"
financial_impact="2000" operational_impact="3000">
<host_properties>
</host_properties>
</asset>
</asset_data>
356
Schema Document for Network Data Imports

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xs:element name="child_network" type="xs:string"/>
<xs:complexType name="child_networksType">
<xs:sequence>
<xs:element ref="child_network" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="IP" type="xs:string"/>
<xs:complexType name="IPsType">
<xs:sequence>
<xs:element ref="IP" minOccurs="0"
</xs:sequence>
</xs:complexType>
<xs:element name="netgroups" type="xs:string"/>
<xs:complexType name="netgroupsType">
<xs:sequence>
<xs:element ref="netgroup" minOccurs="0"
</xs:sequence>
</xs:complexType>
<xs:complexType name="networkType">
<xs:sequence>
<xs:element name="IPs" type="IPsType"
minOccurs="0" maxOccurs="1"/>
<xs:element name="child_networks"
type="child_networksType" minOccurs="0" maxOccurs="1"/>
<xs:element name="netgroups"
type="netgroupsType" minOccurs="0" maxOccurs="1"/>
<xs:element name="usergroups"
type="usergroupsType" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="operation">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="replace"/>
<xs:enumeration value="update"/>
<xs:enumeration value="delete"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="id" type="xs:long"/>
<xs:attribute name="name" type="xs:string"
use="required"/>
<xs:attribute name="type">
<xs:simpleType>
<xs:enumeration value="DYNAMIC"/>
<xs:enumeration value="STATIC"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="financial_impact" type="xs:double"/>
<xs:attribute name="operational_impact"
type="xs:double"/>
</xs:complexType>
<xs:element name="network_data">
357
<xs:complexType>
<xs:sequence>
<xs:element name="network"
type="networkType" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="error_policy"
use="required">
<xs:simpleType>
<xs:restriction
base="xs:NMTOKEN">
<xs:enumeration
value="ignore"/>
<xs:enumeration
value="test"/>
<xs:enumeration
value="fail"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="default_operation">
<xs:simpleType>
<xs:restriction
base="xs:NMTOKEN">
<xs:enumeration
value="delete"/>
<xs:enumeration
value="replace"/>
<xs:enumeration
value="update"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="usergroup" type="xs:string"/>
<xs:complexType name="usergroupsType">
<xs:sequence>
<xs:element ref="usergroup"
</xs:sequence>
</xs:complexType>
</xs:schema>
358
Schema Document for Asset Data Imports

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<xs:element name="host_property" type="xs:string"/>
<xs:complexType name="host_propertyiesType">
<xs:sequence>
<xs:element ref="host_property" minOccurs="0"
</xs:sequence>
</xs:complexType>
<xs:complexType name="assetType">
<xs:sequence>
<xs:element name="host_properties"
type="host_propertyiesType" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="operation">
<xs:simpleType>
<xs:enumeration value="replace"/>
<xs:enumeration value="update"/>
<xs:enumeration value="delete"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="id" type="xs:long"/>
<xs:attribute name="name" type="xs:string"
use="required"/>
<xs:attribute name="unique_id" type="xs:string"
use="required"/>
<xs:attribute name="os" type="xs:string"
use="required"/>
<xs:attribute name="IP" type="xs:string"
use="required"/>
<xs:attribute name="description" type="xs:string"/>
<xs:attribute name="financial_impact" type="xs:double"/>
<xs:attribute name="operational_impact"
type="xs:double"/>
</xs:complexType>
<xs:element name="asset_data">
<xs:complexType>
<xs:sequence>
<xs:element name="asset" type="assetType"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="error_policy"
use="required">
<xs:simpleType>
<xs:restriction
base="xs:NMTOKEN">
<xs:enumeration
value="ignore"/>
<xs:enumeration
value="test"/>
<xs:enumeration
value="fail"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="default_operation">
<xs:simpleType>
359
<xs:restriction
base="xs:NMTOKEN">
<xs:enumeration
value="delete"/>
<xs:enumeration
value="update"/>
<xs:enumeration
value="replace"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:schema>
360
Appendix E
Database Backup Guidelines
This section provides instructions that are meant to serve as general guidelines about
how the Preventsys database can be backed up. If the Preventsys database is
located on a database server that is used for other applications, then it can be
included in that server's backup schedule if the frequency of backups is acceptable.
These instructions are not meant to replace existing corporate backup strategies and
should be viewed as supplemental information pertaining only to Preventsys. Please
note that the commands listed below are to create full logical backups of the
Preventsys database. Consult the official documentation for each database for
information about doing a physical file-based backup.
Backup
The following command will backup the Preventsys database.
pg_dump -U <username> -h <ip-address> -f <backup-filename.sql>
<databasename>
For example:
pg_dump -U preventsys -h 192.168.0.10 -f compliance.sql preventsys
Restore
The following command will restore the Preventsys database.
psql -U <username -h <ip-address> -f <backup-filename.sql>
<databasename>
For example:
psql -U preventsys -h 192.168.0.10 -f compliance.sql preventsys
Please note that it may be necessary prior to restoring, to drop and recreate the
database if it already has tables and data in it. Use extreme caution when dropping a
database, and ensure that you have a current backup.
Run these commands to drop and create the database.
psql -U <username -h <ip-address> template1
drop database <databasename>;
create database <databasename>
361
Appendix F
Policy Library Module Installation
These instructions will guide you through installing a policy library module. You will
need to do this when you want to install or upgrade policy content in the Threat
Policy or the Regulatory Policy modules.
The individual conducting the installation should be familiar with basic UNIX
administration commands.
Read these instructions in their entirety before installing these modules.
¾
To install a policy library module
1
Copy the Policy Module RPM to the Management Server (ESM Server) via SCP
or some other means.
2
as root:
3
Server):
service esm stop
4
Enter the following command to install the RPM as root:
rpm -Uvh <policy_loader file>
5
Enter the following command to start the Management Server (ESM Server):
service esm start
6
Log on to the Preventsys Administrative Client using your web browser.
7
From the Preventsys menu, select Policies > Import Preventsys Policies.
Follow the instructions on the screen to install the package.
8
Repeat these steps for the next RPM.
Note: You cannot install two different policy loader RPMs in Step 3, then perform
steps 4 and 5. You must complete steps 1-5 sequentially for each policy module you
want to install.
362
Glossary of Terms
A
Administrative Client
The Administrative Client is a browser-based client which serves as the user's
interface to the Management Server. This client is responsible for allowing users to
perform user management, assessment, and system configuration tasks, as well as
report navigation and remediation functions.
Assessment
The process of scanning a network group to gather policy violations and vulnerability
information.
Assessment Server
The server (or cluster of servers) which hosts the actual scanners. The scanners are
configured by the Management Server through an administrative interface presented
to the administrator resulting in ASCP sessions describing scanner configuration
parameters.
Assessment Server Control Protocol (ASCP)
Protocol used to facilitate Assessment Server communication.
Asset
A specific workstation, server, router, switch, or other type of machine on the
assessed network.
C
Certificate Revocation List (CRL)
A list of all revoked certificates, including the dates of issue, the entities that issued
them, and the reasons for revocation.
D
Demilitarized Zone (DMZ)
A computer host or small network inserted as a buffer between a private network
and the outside public network to prevent outside users from gaining direct access
to resources on the private network.
363
Glossary of Terms
Discovery Server
The Discovery Server facilitates communication between components. It holds the
IP address, port, component type, and certificate's Distinguished Name (DN) for each
component, as well as the list of supported scan modules for each Assessment
Server. The Discovery Server also stores the Certificate Revocation List (CRL).
Distinguished Name (DN)
A section of an X509 certificate that describes the certificate's purpose and issuer.
Domain Name System (DNS)
A distributed database that manages the mapping of host names to numerical IP
addresses.
Dynamic Host Configuration Protocol (DHCP)
A protocol used to dynamically allocate IP addresses to computers on a local area
network.
Dynamic IP Tracker
The Dynamic IP Tracker is a Preventsys component of the Assessment Server
residing on the same physical network segment as the machines serviced by a
DHCP server when DHCP is utilized for host addressing. The Dynamic IP Tracker
provides consistent address resolution for correlation of host information throughout
changing IP addresses in environments with dynamic host names and/or IP
addresses (i.e. DHCP).
Dynamic Packet Filter (DPF)
The Dynamic Packet Filter (DPF) is a packet filter and application level proxy-based
firewall designed to protect the Preventsys Scanner environment from exploitation.
DPF servers are not required for minimum installation.
Dynamic Packet Filter (DPF) Rule
DPF rules can be defined to manage communications between Preventsys
components and the assessed network groups.
Dynamic Target Address Resolution Protocol (DTARP)
Protocol employed by Dynamic IP Trackers to report the correlation between IP
addresses and host identity in network environment with dynamic IP addresses.
G
Global Suffix
A suffix applied to imported PDL policies in order to distinguish them from previously
existing PDL policies with identical names.
364
Glossary of Terms
H
Hypertext Transfer Protocol (HTTP)
A protocol used to request and transmit Web content over the Internet or other
computer networks.
Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)
An encrypted version of HTTP used for secure communications.
I
IP Address
An address used to identify hosts on a network.
IP Range
A range of IP addresses.
M
MAC Address
An address used to identify hosts on a network based on network interface card.
Maintenance Mode
The Preventsys system is put into maintenance mode during all updates and
rollbacks. When in maintenance mode only Super Users are allowed to log on.
Management Network
An un-routable private network created to protect the Discovery Server, the
Management Server and the RDBMS from attack.
Management Server
The Management Server (formerly the Enterprise Security Management Server)
provides the administrative interface to the Preventsys software. This server is
responsible for allowing the administrator to configure target host and network
information, assessment sessions, and to review reported results of assessments.
Manual Audit Task (MAT)
A special task that must be tested and verified manually via the Administrative Client.
A fully configured MAT has a schedule and has one or more users that are assigned
to the task.
Manual Audit Task Rule
A rule that reports violations based upon a specific MAT. An MAT rule can optionally
report a violation if the MAT is not configured correctly.
365
Glossary of Terms
Mask
See Network Mask.
N
Netmask
See Network Mask
Network
A collection of IP-based systems (routers, switches, servers, firewalls, etc.) that are
grouped as a logical unit. For example, one network could be the Finance Network,
which would include all of the servers, routers, and systems that service the finance
department.
Network Group
A network or cluster of networks that are grouped together for assessment
configuration and analysis. Network groups must be defined prior to scheduling
assessments.
Network Mask
A string of 0s and 1s that mask the network portion of an IP address so that only the
unique host address remains.
P
Policy Definition Language (PDL)
The Policy Definition Language utilizes XSL templates to create PDL rules that
identify specific policy violations and vulnerabilities via assessment analysis.
Port
A logical connection place that allows for the communication of Internet services.
Protocol
A specification describing how computers communicate on a network.
R
Registry Key
A Registry is a database used by the Windows operating system (Windows 95 and
NT) to store configuration information. The Registry Keys are contained in this
database. Each Key may have one or more Registry Values associated with it. Each
key may also have an Unnamed Value associated with it.
366
Glossary of Terms
Registry Value
Entries associated with a Registry Key, consisting of Name/Type/Data. To access
this data, the registry key is entered in the form
key[\key_n…]\registry_value_name
Relational Database Management System (RDBMS)
The Relational Database Management System (RDBMS) stores Preventsys
configuration data and scan results in both raw and analyzed formats.
S
Scan Module
Scanning software utilized by Assessment Servers when assessing network groups.
Service
A network application associated with a specific port.
Static IP
A scheme for IP addressing which associates a unique and unchanging IP address
with every host on the network.
Super User Group
A group that grants access to all Preventsys System functions.
U
Unique ID
A unique host identifier that represents either a static IP address or a MAC address
in DHCP systems.
Unnamed Value
Entries associated with a Registry key consisting of Name/Type/Data. To access this
data, the registry key is entered in the form key[\key_n…]\ - which would return
the Unnamed Value associated with key_n
V
Virtual LAN (VLAN)
A group of devices on one or more LANs that are configured (using management
software) so that they can communicate as if they were attached to the same wire,
when in fact they are located on a number of different LAN segments. Because
VLANs are based on logical instead of physical connections, they are extremely
flexible.
Vulnerability
A bug or flaw in software or hardware that could compromise network security.
367
Additional Import Setup Criteria ........... 154, 156, 157
Administrative Client ................................ 13, 23, 363
Administrator Overview........................................ 251
Affinity and Weight.... 30, 33, 36, 289, 290, 291, 292,
293, 295, 296, 297, 301, 303, 304, 305, 307, 308,
309, 310, 312
AlterPoint.............................................................. 346
AlterPoint Connector Configurations .................... 314
AlterPoint Instance Configurations ....................... 290
Analysis ................................................................ 147
AppDetective........................................................ 347
AppDetective Connector Configurations .............. 315
AppDetective Instance Configurations ................. 291
AppDetective XML ............................................... 334
Apply System Update........................................... 285
AppScan XML....................................................... 336
Assessment.......................................................... 363
Assessment Import Configurations...................... 332
Assessment Server .............................................. 363
Assessment Server Control Protocol (ASCP) ....... 363
Assessment Servers ........ 12, 30, 129, 131, 133, 289
Assessments and Connectors........................ 12, 128
Asset .................................................................... 363
Asset Details Standard ......................................... 259
Asset Report......................................................... 257
Assets................................................................... 106
Assets and Networks ............................... 12, 65, 129
Assets Tab............................................................ 228
Assign Remediation Tasks ........................... 169, 183
Assigning or Reassigning a Remediation task...... 172
Assigning Remediation Tasks............................... 169
Associating an External Remediation User with a
Preventsys User................................. 62, 189, 191
Audit Re-Analysis.......................................... 151, 162
AudIT Server........................................................... 13
Audits ................................................................... 133
Automatic Filtering ............................................... 108
Index
A
About Automated Patching................................... 193
About Due Date and Criticality.............................. 170
About FoundScan Certificates .............................. 298
About Maintenance Mode .................................... 286
About Managed Tables......................................... 107
About Partial Results ............................................ 151
About Passwords.................................................... 59
About Preventsys System Components................. 13
About Priority ........................................................ 170
About Resources and Permission .......................... 43
About Rogue Tables ............................................. 107
About Severity ...................................................... 170
About the Remediation Lifecycle and Workflows . 63,
129, 162, 165
About the Super User Group and Preventsys User11,
24, 38, 40, 41
Accessing the Preventsys Administrative Client ... 11,
23
Activating and Deactivating an Enterprise Group . 236
Add Host................................................................. 67
Add Host Property .................................................. 71
Add Network........................................................... 84
Add Network Group........................................ 89, 131
Add Network Property ............................................ 87
Add Remediation System ..................................... 186
Add Service............................................................. 76
Add User................................................................. 59
Add/Edit Recipient Groups.................................... 212
Add/Edit Task........................................................ 206
Adding a Connector Configuration........ 131, 158, 313
Adding a Host Property........................................... 71
Adding a Manual Audit Task ................................. 206
Adding a Network ................................................... 84
Adding a Network Group ................................ 89, 158
Adding a Network Property .................................... 87
Adding a Recipient Group ..................................... 211
Adding a Service ..................................................... 76
Adding an Assessment Configuration .......... 134, 158
Adding an Assessment Schedule ................. 138, 158
Adding an asset ...................................................... 67
Adding an Exclusion List......................................... 78
Adding an External patch management system ... 199
Adding an External Remediation System ............. 186
Adding an External Remediation User .......... 189, 191
Adding and Removing Users from Groups ............. 56
Adding Assessment Servers .................................. 31
Adding Custom NAA Rules .......................... 322, 323
Adding Groups ........................................................ 55
Adding Instance Configurations...................... 35, 158
Adding Local User Accounts................................... 59
Adding Remote User Accounts .............................. 60
B
Backup.................................................................. 361
Bulk Assignment .................................................. 173
C
Canceling an Assessment .................................... 144
Certificate Revocation List (CRL).......................... 363
Chronological View Report ................................... 264
Comparative Compliance Report.......................... 277
Compliance Formulas ........................................... 243
Compliance Overview Report............................... 277
Compliance Report ............................................... 277
Compliance Server ................................................. 13
Configuresoft........................................................ 348
Configuresoft Connector Configurations .............. 316
Configuresoft Instance Configurations ................. 292
Configuring Audits ................................................ 133
Configuring the Hercules Server .................. 193, 194
Configuring the Patch Management System ....... 199
Configuring the Threat Feed Manager Proxy . 26, 128
Configuring the Web Session Timeout................... 25
368
Index
Dynamic Packet Filter (DPF) Rule......................... 364
Dynamic Target Address Resolution Protocol
(DTARP) ........................................................... 364
Configuring Your System for Policy Analysis........ 117
Configuring Your Web Browser........................ 11, 14
Connecting to an Active Directory Server ........ 38, 40
Connector Configurations ............................. 130, 313
Contacting Technical Support ................................. 10
Content Inheritance ................................................ 41
Create Audit Configuration ................................... 134
Create Audit Schedule .......................................... 138
Creating a Data Source Name .............................. 102
Creating an Assignment Rule ............................... 180
Creating an Enterprise Group ............................... 234
E
Edit Audit Configuration........................................ 136
Edit Audit Schedule .............................................. 140
Edit External Remediation System User .............. 192
Edit Host................................................................. 68
Edit Host Property .................................................. 71
Edit Network Group........................................ 90, 132
Edit Remediation System ..................................... 188
Edit Service............................................................. 76
Edit User........................................................... 62, 63
Edit/View Networks................................................ 85
Editing a Connector Configuration........................ 132
Editing a Host Property........................................... 71
Editing a Manual Audit Task ................................. 208
Editing a Network ................................................... 85
Editing a Network Group ........................................ 90
Editing a Recipient Group ..................................... 212
Editing a Service ..................................................... 76
Editing an Assessment Configuration .................. 136
Editing an Assessment Schedule ......................... 140
Editing an asset ...................................................... 68
Editing an Assignment Rule ................................. 182
Editing an Enterprise Group.................................. 235
Editing an Exclusion List......................................... 80
Editing an External patch management system ... 200
Editing an External Remediation System ............. 188
Editing an External Remediation User .......... 191, 192
Editing Assessment Servers .................................. 32
Editing Groups ........................................................ 56
Editing Instance Configurations.............................. 36
Editing User Accounts ............................................ 62
Editing Your User Information .......................... 11, 63
Enterprise Group Summary Report ...................... 249
ePO Extractor Options.......................................... 108
ePO Extractor Usage Scenarios ........................... 115
Executive Summary.............................................. 245
Executive Summary Report.................................. 245
Executive Summary Reports ................................ 245
Export PDL Policy ................................................. 125
Exporting a Policy ................................................. 125
Exposure Overview Report .................................. 279
Exposure Report................................................... 279
Exposure Tab........................................................ 228
External Remediation Systems ............................ 185
External Remediation Users ................................. 185
D
DARC Instance Configurations ............................. 293
Data Creation and Modification ...................... 92, 114
Data Matching ........................................................ 97
Data Selection....................................................... 107
Database Backup Guidelines ................................ 361
Deactivating a PDL Rule ....................................... 120
Deactivating a Policy............................................. 123
Declared verses Discovered Asset Data ................ 66
Deleting .................................................................. 93
Deleting a Connector Configuration ..................... 133
Deleting a Host property......................................... 72
Deleting a Network................................................. 85
Deleting a Network Group ...................................... 90
Deleting a Network Property .................................. 88
Deleting a Recipient Group................................... 212
Deleting a Service................................................... 77
Deleting an Assessment Configuration ................ 136
Deleting an Assessment Schedule....................... 140
Deleting an Assessment Using the Administrative
Client ................................................................ 145
Deleting an Assessment Using the Preventsys AIU
......................................................................... 145
Deleting an Asset ................................................... 69
Deleting an Assignment Rule ............................... 182
Deleting an Exclusion List ...................................... 81
Deleting an External Remediation System ........... 188
Deleting an External Remediation User................ 193
Deleting Assessment Servers ................................ 33
Deleting Assessments.................................. 144, 162
Deleting Groups...................................................... 56
Deleting Instance Configurations ........................... 37
Deleting Manual Audit Tasks ................................ 209
Deleting Published Reports .................................. 284
Deleting User Accounts.......................................... 63
Demilitarized Zone (DMZ) ..................................... 363
Details Trending.................................................... 261
Determine File Import Order ................................ 154
Direct Association............................................. 42, 89
Disabling and Enabling Assessment Servers ......... 32
Discovery Server................................................... 364
Distinguished Name (DN) ..................................... 364
Dollar Value............................................................. 65
Domain Name System (DNS) ............................... 364
Downloading an Update ....................................... 285
Dynamic Host Configuration Protocol (DHCP)...... 364
Dynamic IP Tracker............................................... 364
Dynamic Packet Filter (DPF) ................................. 364
F
Fact Indexing ........................................................ 147
File Imports........................................................... 332
Filtering Remediation Tasks ................................. 173
Filtering Reports by Asset .................................... 244
Filtering the List of All Threat Alerts ............. 221, 223
FoundScan............................................................ 349
FoundScan Connector Configurations .................. 317
FoundScan Instance Configurations ..................... 296
369
Index
ISS SiteProtector Connector Configurations ........ 319
ISS SiteProtector Instance Configurations ........... 302
FoundScan XML ................................................... 337
G
L
Generate a Key Pair and CSR Using Java Keytool .. 21
Generate Key Pairs Using OpenSSL....................... 22
Generic XML......................................................... 333
Getting Started ....................................................... 11
Global Suffix.......................................................... 364
Group and Permission Hierarchy ............................ 42
Latest Tasks ......................................................... 231
Local and Remote Authentication .......................... 38
M
MAC Address ....................................................... 365
Main Menu ....................................................... 26, 27
Main Tab............................................................... 226
Maintenance Mode .............................................. 365
Making an Exclusion List Global ............................. 79
Management Network ......................................... 365
Management Server............................................. 365
Managing Assessment Configurations... 80, 129, 133
Managing Assessment Schedules ............... 129, 137
Managing Assessment Servers.............................. 31
Managing Assessments ....................................... 140
Managing Assets............................................ 65, 118
Managing Connector Configurations ............ 129, 130
Managing Enterprise Groups........ 216, 224, 233, 237
Managing Exclusion Lists ....................................... 77
Managing External Patch Management Systems 147,
165, 193
Managing External Remediation Systems .. 165, 185,
191
Managing External Remediation Users ........ 188, 191
Managing Groups ............................................. 26, 41
Managing Host Properties...................................... 69
Managing Instance Configurations ......................... 33
Managing Manual Audit Task Recipient Groups .. 210
Managing Manual Audit Tasks ............................. 205
Managing Network Groups .................................... 88
Managing Network Properties................................ 86
Managing Networks ....................................... 81, 118
Managing PDL Rules ............................................ 118
Managing Policies................................................. 120
Managing Services ................................................. 72
Managing Users ..................................................... 57
Manual Audit Task (MAT) ..................................... 365
Manual Audit Task Email Notifications ................. 210
Manual Audit Task Rule........................................ 365
Manual Audit Tasks ...................................... 135, 203
Manually Entered Due Dates................................ 172
Mask..................................................................... 366
MBSA Connector Configurations ......................... 319
MBSA Instance Configurations ............................ 303
MBSA XML........................................................... 339
Modifying the Report Context Filter ..................... 241
My Tasks .............................................................. 232
H
Hiding and Un-hiding Assessment Statuses 144, 232
Host Properties....................................................... 65
Host Property Label ................................................ 69
Host Property Management ................................... 69
Host Property Specification ........................ 65, 69, 72
Host Reports................................................. 256, 257
How Imported Data is Merged and Analyzed...... 155,
156, 158, 332, 333, 334, 336, 337, 339, 340, 342,
343, 344, 345, 346, 347, 348, 349, 350, 351, 352,
353
How Preventsys Calculates Compliance .............. 242
How Remediation Tasks Are Affected ... 63, 167, 201
How Severity Is Adjusted By Threat Alerts .......... 223
How Threat Alerts Affect Remediation Tasks ...... 222
Hypertext Transfer Protocol (HTTP)...................... 365
Hypertext Transfer Protocol over Secure Socket
Layer (HTTPS) .................................................. 365
I
Import an Existing Private Key................................ 21
Import Parameters........................................ 101, 114
Import PDL Policy ................................................. 124
Importing a File ..................................................... 160
Importing a Policy ................................................. 124
Importing a Scan................................................... 161
Importing and Exporting Custom Policies ............ 123
Importing Asset and Network Data Files.......... 12, 91
Importing Certificates ................................. 21, 22, 23
Importing ePO Asset and Network Data ........ 91, 101
Importing External Assessment Data .. 128, 129, 151,
332
Importing from the Command Line ...... 145, 153, 158
Importing from the Preventsys Administrative Client
......................................................................... 156
Importing Multiple Files .......................................... 92
Importing Using the Administrative Client.............. 97
Importing with the Import Utility .......................... 100
Initial Rule Setup................................................... 118
Installation and Configuration ............................... 310
Installing the ePO Extractor .......................... 102, 114
Installing the Hercules Web Service API .............. 197
Instance Configurations ........................................ 289
IP Address ............................................................ 365
IP Range ............................................................... 365
ISS Internet Scanner Connector Configurations ... 318
ISS Internet Scanner Instance Configurations ...... 300
ISS SiteProtector .................................................. 350
N
NAA Custom Rulesets File Layout ....................... 324
NAA Default Tests................................................ 323
NAA Rule Attributes ............................................. 324
NAA Rule Flags..................................................... 325
Narrow by Host .................................................... 244
370
Index
Navigating Between Reports................................ 244
Navigating Preventsys ............................................ 26
Navigating Reports ............................................... 239
nCircle XML .......................................................... 339
Nessus 3.02 and 2.2.7 Port Scanner Selection .... 321
Nessus Certificate-Based Authentication Mode... 305
Nessus Connector Configurations ........................ 320
Nessus Instance Configurations ........................... 304
Nessus XML ......................................................... 340
Netmask ............................................................... 366
Network ................................................................ 366
Network and Network Group Based Reporting Data
........................................................................... 42
Network Architecture Assessor Connector
Configurations .................................................. 322
Network Architecture Assessor Instance
Configurations .................................................. 306
Network Assessment ........................................... 147
Network Group ..................................................... 366
Network Group Auto-Create Option ....................... 82
Network Group Reports........................................ 252
Network Groups ..................................................... 88
Network Hierarchy.................................................. 82
Network Mask ...................................................... 366
Network Overview................................................ 255
Network Properties........................................... 82, 86
Network Report .................................................... 255
Network Reports .................................................. 255
Networks .............................................................. 106
NeXpose XML....................................................... 342
NGSSquirreL for Oracle XML................................ 342
NGSSquirreL for SQL Server XML........................ 343
Nmap Connector Configurations .......................... 326
Nmap Instance Configurations ............................. 308
Nmap XML............................................................ 344
Q
QualysGuard ......................................................... 351
QualysGuard Connector Configurations ............... 327
QualysGuard Instance Configurations .................. 311
QualysGuard XML ................................................ 345
R
RDBMS Server ....................................................... 13
Re-Analyze Audit Results ..................................... 163
Re-Analyzing an Assessment's Results ............... 163
Re-Analyzing Assessment Results ............... 129, 162
Registry Key ......................................................... 366
Registry Value....................................................... 367
Relational Database Management System (RDBMS)
......................................................................... 367
Remediation Status Lifecycle ....................... 166, 185
Remediation Workflow Example .......................... 167
Remediations.......................................... 13, 165, 231
Remove Audit Configuration ................................ 136
Remove Audit Schedule ....................................... 140
Remove External Remediation System User ....... 193
Remove Host.......................................................... 69
Remove Host Property ........................................... 72
Remove Network ................................................... 85
Remove Network Group......................................... 90
Remove Network Properties .................................. 88
Remove Remediation System.............................. 188
Remove Service ..................................................... 77
Removing an External patch management system
......................................................................... 201
Replacing ................................................................ 92
Report Types ........................................................ 237
Reporting Errors ..................................................... 28
Reports ........................................................... 12, 237
Required and Optional Data File Elements............. 93
Restore ................................................................. 361
Retina ................................................................... 352
Retina Connector Configurations ......................... 328
Retina Instance Configurations............................. 295
Rollback System Update ...................................... 287
Rolling Back an Update......................................... 287
Running the ePO Extractor................................... 114
O
Operating System Report ..................................... 264
Operating System Reports ................................... 264
Ordering Assignment Rules ................................. 182
Other Reasons Remediation Tasks Can Be Verified
......................................................................... 179
Overview .............................................. 252, 264, 273
S
P
Sample XML for Asset Data Imports.................... 356
Sample XML for Network Data Imports ............... 355
........................................................... 91, 101, 355
Saving a Filter ....................................................... 224
Saving as PDF......................................................... 27
Saving Filters ........................................................ 175
Saving Reports ..................................................... 282
Scan Imports ........................................................ 346
Scan Module......................................................... 367
ScanAlert .............................................................. 353
ScanAlert Connector Configurations .................... 329
ScanAlert Instance Configurations ....................... 308
Scenario A ............................................................ 115
P2P Assessment .................................................. 323
Pagination Controls................................................. 26
Pausing and Resuming an Assessment ............... 143
Planning For Extraction ......................................... 106
Policies and Rules................................................. 117
Policy Analysis ...................................................... 134
Policy Definition Language (PDL) ......................... 366
Policy Library Module Installation ................. 125, 362
Port ....................................................................... 366
Preventsys XML ................................................... 332
Protocol................................................................. 366
Publish .................................................................. 282
Publishing a Report............................................... 282
Publishing Reports................................................ 282
371
Index
Scenario B............................................................. 116
Schema Document for Asset Data Imports.......... 359
Schema Document for Network Data Imports ..... 357
Security Risk Dashboard................................. 12, 215
Sending a Remediation Request to the patch
management system ....................................... 201
Sending Requests to a Patch Management System
................................................................. 194, 201
Service .................................................................. 367
Services .................................................................. 72
Services Report .................................................... 281
Services Reports................................................... 281
Specifying an Override Date 154, 156, 158, 332, 333,
334, 336, 337, 339, 340, 342, 343, 344, 345, 346,
347, 348, 349, 350, 351, 352, 353
Standard................ 245, 253, 255, 258, 265, 271, 274
Static IP................................................................. 367
Super User Group ................................................. 367
Supported Command and Control Connectors.... 128,
130
Supported File Formats .......................................... 91
Supported Sources for Import ...... 151, 153, 156, 157
System Calculated Due Dates .............................. 171
System Default for the Report Context ................ 241
System Default for the Report Context Filter ....... 240
System Updates ................................................... 285
T
Table Sorting........................................................... 27
Task Aging Summary............................................ 268
Task Recipient Report........................................... 273
Task Recipient Reports......................................... 273
Task Reports......................................................... 267
Task Rollup Reports.............................................. 270
Tasks Tab.............................................................. 229
The Basics ...................................................... 11, 129
Third-Party Connector Instance Configurations .... 289
Threat Analysis ..................................................... 135
Threat Intelligence Correlation.............................. 148
Threat Lifecycle Tab.............................................. 227
Time Windows................................................ 83, 143
To access the All Threats screen.......................... 221
To access the Assessment Configuration
Management screen ........................................ 134
To access the Assessment Schedule Management
screen .............................................................. 138
To access the Assessment Server Management
screen ................................................................ 31
To access the Assessment Status Management
screen ...................................................... 141, 162
To access the Asset Management screen ............. 67
To access the Assignment Rule Management screen 180
To access the Connector Configuration Management
screen .............................................................. 131
To access the Enterprise Groups Management
screen .............................................................. 234
To access the Exclusion List Management screen 78
To access the External Remediation Systems
Management screen ........................................ 186
372
To access the External Remediation Users
Management screen........................................ 189
To access the Group Management screen ............ 54
To access the Host Property Management screen 70
To access the Manual Audit Task Management
screen .............................................................. 203
To access the Manual Audit Task Recipient Groups
Management screen........................................ 210
To access the Network Group Management screen
........................................................................... 89
To access the Network Management screen ........ 83
To access the Network Property Management
screen ................................................................ 87
To access the PDL Rules Management screen ... 119
To access the Policy Management screen........... 121
To access the Remediation Task Management
screen .............................................................. 168
To access the Services Management screen ........ 75
To access the User Management screen............... 58
To activate or deactivate an enterprise group ...... 236
To add a Configuresoft connector configuration .. 316
To add a FoundScan connector configuration ...... 317
To add a group........................................................ 55
To add a host property............................................ 71
To add a local user.................................................. 59
To add a manual audit task ................................... 206
To add a Nessus connector configuration ............ 320
To add a Network Architecture Assessor connector
configuration .................................................... 322
To add a new connector configuration ................. 132
To add a new network............................................ 84
To add a new network group ................................. 89
To add a new network property ............................. 87
To add a QualysGuard connector configuration.... 327
To add a recipient group ....................................... 211
To add a remote user ............................................. 60
To add a Retina connector configuration .............. 328
To add a ScanAlert connector configuration......... 329
To add a service...................................................... 76
To add a WinReg connector configuration ........... 329
To add an AlterPoint connector configuration ...... 314
To add an AppDetective connector configuration 315
To add an assessment configuration.................... 135
To add an assessment server ................................ 31
To add an asset ...................................................... 67
To add an enterprise group................................... 235
To add an exclusion list .......................................... 78
To add an external remediation system ............... 187
To add an external remediation user .................... 190
To add an instance configuration............................ 35
To add an instance of a Third-Party connector ..... 290
To add an instance of AlterPoint .......................... 290
To add an instance of AppDetective .................... 291
To add an instance of Configuresoft .................... 292
To add an instance of DARC................................. 294
To add an instance of FoundScan ........................ 297
To add an instance of ISS Internet Scanner ......... 300
To add an instance of MBSA ................................ 303
To add an instance of Namp................................. 308
To add an instance of Nessus .............................. 304
Index
To edit a host property ........................................... 72
To edit a local user.................................................. 62
To edit a manual audit task................................... 209
To edit a recipient group....................................... 212
To edit a remote user ............................................. 62
To edit a saved filter ..................................... 175, 224
To edit a service ..................................................... 77
To edit an assessment configuration ................... 136
To edit an assessment server ................................ 32
To edit an assessment's schedule ....................... 140
To edit an asset ...................................................... 68
To edit an assignment rule ................................... 182
To edit an enterprise group .................................. 235
To edit an Exclusion List......................................... 80
To edit an existing connector configuration ......... 133
To edit an existing network .................................... 85
To edit an existing network group .......................... 90
To edit an external remediation system ............... 188
To edit an external remediation user .................... 192
To edit an instance configuration............................ 36
To edit your user information ................................. 63
To enable anonymous access for HerculesServer 194
To ensure assets and networks are specified for
property fragments .......................................... 118
To enter proxy settings for the Threat Feed Manager
........................................................................... 26
To export a policy to an external file..................... 125
To filter remediations............................................ 174
To filter the threat alert list ................................... 223
To generate a key pair and CSR using keytool ....... 21
To generate a key pair using OpenSSL .................. 22
To get a certificate if your FoundScan installation is
using a Certificate Authority that you generated
......................................................................... 298
To get a certificate if your FoundScan installation is
using the default certificates............................ 298
To hide and unhide an assessment ...................... 144
To import a Configuresoft scan ............................ 348
To import a file using the AIU............................... 160
To import a FoundScan scan ................................ 349
To import a FoundScan XML file .......................... 337
To import a Generic XML file................................ 333
To import a new a policy ...................................... 124
To import a NeXpose XML file ............................. 342
To import a Preventsys XML file .......................... 332
To import a QualysGuard scan ............................. 351
To import a QualysGuard XML file ....................... 345
To import a Retina scan........................................ 352
To import a ScanAlert scan................................... 353
To import a SiteProtector scan ............................. 350
To import an AlterPoint scan ................................ 346
To import an AppDetective scan .......................... 347
To import an AppDetective XML file .................... 334
To import an AppScan XML file............................ 336
To import an asset data or network data file .......... 97
To import an existing private key............................ 21
To import an MBSA XML file................................ 339
To import an nCircle XML file ............................... 339
To import an Nessus XML or NSR file.................. 340
To import an NGSSquirrel for Oracle .................... 342
To add an instance of Network Architecture
Assessor .......................................................... 307
To add an instance of QualysGuard ...................... 311
To add an instance of Retina ................................ 295
To add an instance of ScanAlert ........................... 308
To add an instance of SiteProtector ..................... 302
To add an instance of WinReg.............................. 310
To add an ISS Internet Scanner connector
configuration .................................................... 318
To add an ISS SiteProtector connector configuration
......................................................................... 319
To add an MBSA connector configuration ............ 319
To add an Nmap connector configuration............. 326
To add and remove users from a group ................. 57
To add or modify an association with an external
remediation user ........................................ 60, 191
To assign or reassign a remediation task ............. 172
To assign several tasks to the same user ............ 173
To change the criticality levels and due dates for
remediation tasks ............................................. 171
To change the web session timeout ...................... 25
To choose a column...................................... 176, 225
To configure a certificate-based authentication
Nessus account................................................ 306
To configure a password-based Nessus account . 306
To configure FoundScan engines ......................... 296
To configure Microsoft Internet Explorer................ 15
To configure Mozilla Firefox.................................... 18
To connect to an active directory server ................ 39
To create a data source name .............................. 102
To create an assignment rule ............................... 181
To deactivate a policy ........................................... 123
To deactivate a rule............................................... 120
To delete a connector configuration ..................... 133
To delete a group.................................................... 56
To delete a host property........................................ 72
To delete a network................................................ 85
To delete a network group...................................... 90
To delete a network property ................................. 88
To delete a published report ................................. 284
To delete a recipient group ................................... 212
To delete a saved filter ................................. 175, 225
To delete a service.................................................. 77
To delete a user account ........................................ 63
To delete an assessment configuration................ 137
To delete an assessment server ............................ 33
To delete an assessment using the Administrative
Client ................................................................ 145
To delete an assessment using the Preventsys AIU
......................................................................... 146
To delete an assessment's schedule ................... 140
To delete an asset .................................................. 69
To delete an assignment rule ............................... 182
To delete an exclusion list ...................................... 81
To delete an external remediation system ........... 188
To delete an external remediation system user ... 193
To delete an instance configuration........................ 37
To delete an manual audit task ............................. 209
To disable/enable an assessment server................ 33
To download an update ........................................ 285
To edit a group........................................................ 56
373
Index
Upload System Update......................................... 285
Uploading and Applying an Update ...................... 285
Uploading Custom Rules ...................................... 326
Useful Terms ...... 30, 40, 65, 117, 128, 165, 189, 242
User Authentication.......................................... 38, 57
User Authorization ................................ 13, 38, 39, 40
Using Certificates from Third-Party CAs........... 11, 21
To import an NGSSquirreL for SQL Server XML file
......................................................................... 343
To import an Nmap XML file................................. 344
To import scan results using the AIU ................... 161
To install a policy library module ........................... 362
To install the AIU .................................................. 159
To install the Hercules API ................................... 197
To install the import utility .................................... 100
To log off................................................................. 24
To log on ................................................................. 24
To make an exclusion list global ............................. 79
To modify the report context filter........................ 241
To pause and resume an assessment .................. 143
To publish a report ................................................ 283
To re-analyze an assessment's results ................. 163
To rollback an update............................................ 287
To rollback updates to the policy library ............... 127
To run an assessment immediately...................... 138
To run the ePO Extractor ...................................... 114
To save a filter .............................................. 175, 224
To schedule an assessment ................................. 139
To schedule an import .................................. 152, 158
To submit an error .................................................. 29
To turn off HTTPS connections............................. 195
To update the policy library................................... 125
To update the status of a manual audit task assigned
to you ............................................................... 210
To update the status of a remediation task .......... 184
To upload and apply an update ............................. 285
To use file-based import ............................... 152, 156
To use scan-based import............................. 152, 157
To utilize authentication mode.............................. 306
To verify the Hercules API installation .................. 198
To view a policy's source document .................... 122
To view a published report ................................... 284
To view details about a policy............................... 121
To view details about a threat alert ...................... 225
To view details about an assessment .................. 142
To view patch details ............................................ 202
To view the status of an assessment reanalysis .. 164
Trending................ 246, 253, 256, 262, 266, 272, 275
V
Verification of Manual Audit Task Policy Violations
......................................................................... 214
Verifying Remediation Tasks ................................ 178
Verifying Remediation Tasks with Coalesced
Violations.......................................................... 179
Verifying Remediation Tasks with Coalesced
Vulnerabilities ................................................... 179
Version and Node Information................................ 27
View PDL Policy List............................................. 120
View PDL Rule List....................................... 120, 123
View Published Reports ............................... 283, 284
View Re-Analyze Status........................................ 164
View Status .......................................................... 150
Viewing All Threat Alerts ...................................... 221
Viewing Assessment Details................................ 141
Viewing Assets Details......................................... 230
Viewing Details about a Remediation... 176, 202, 231
Viewing Details about a Threat Alert .................... 225
Viewing Different Columns of Data...................... 175
Viewing Different Columns of Data for All Threat
Alerts................................................................ 225
Viewing Policy Details .......................................... 121
Viewing Policy Source Documents ...................... 122
Viewing Published Reports................................... 283
Viewing Reports ................................................... 245
Viewing the Latest Threat Alerts .......................... 221
Viewing the Status of a Re-Analyzed Assessment
......................................................................... 164
Viewing the Status of an Import........................... 162
Viewing the Top Threat Alerts .............................. 221
Violation Coalescing.............................................. 185
Violation Remediation Details............................... 178
Virtual LAN (VLAN) ............................................... 367
Vulnerability .......................................................... 367
Vulnerability and Violation Coalescing . 128, 129, 147,
148
Vulnerability Remediation Details ......................... 177
U
Understanding Assessment Status ...................... 150
Understanding Import Sources and Types .. 151, 156,
157, 332, 346
Understanding Manual Audit Task Rules and Policy
Violations ............................................ 12, 129, 213
Understanding the Assessment Lifecycle ............ 146
Unique ID........................................................ 65, 367
Unnamed Value .................................................... 367
Update Failure....................................................... 287
Update Remediation Tasks................................... 184
Updating ................................................................. 92
Updating Manual Audit Tasks ............................... 209
Updating Remediation Tasks ................................ 183
Updating Scanner Plugins..................................... 313
Updating the Policy Library ............................. 12, 125
Updating the Status of a Manual Audit Task ........ 210
Updating the Status of a Remediation Task ......... 184
W
Web Browser Configuration ................................... 14
Welcome to Preventsys ........................................... 9
Windows Registry Instance Configurations ......... 309
Windows-Based Rules ......................................... 331
WinReg Connector Configurations ....................... 329
Working with Assignment Rules .......................... 180
Working with the Assessment Console ............... 232
Working with the Compliance Console ................ 220
Working with the Enterprise Console................... 217
Working with the Exposure Console .................... 218
Working with the Remediation Console............... 231
374
Index
Working with the Report Filter ............................. 239
Working with the Threat Console ......................... 220
375
DBN-PSYS060727-EN
DBN-PSYS060727-EN