Vulnerability Mitigation
Tenable Vulnerability Management vulnerabilities exist in one of two categories: Active or Fixed. When Tenable Vulnerability Management discovers a vulnerability on an asset, the vulnerability remains in the Active category until it is mitigated or fixed. Then, the vulnerability moves to the Fixed category.
Active Vulnerabilities
Active vulnerabilities are those that are currently present. They are vulnerabilities in the New (first discovery), Active (seen multiple times), or Resurfaced (previously fixed but currently present) states. For more information, see Vulnerability States.
Fixed Vulnerabilities
The Fixed category contains vulnerabilities that Tenable Vulnerability Management determines are not vulnerable. Once a vulnerability is mitigated, its state changes from Active to Fixed.
Mitigation: Transitioning from Active to Fixed
Vulnerability mitigation is the successful verification that a vulnerability is no longer present. A vulnerability is considered mitigated when a subsequent scan targets the asset but the specific vulnerability is not found.
Tenable Vulnerability Management moves a vulnerability to the Fixed category only when it is determined that the vulnerability is no longer present based on three criteria: the scan definition, the scan results, and authentication information. A successful transition requires that the vulnerability must have been active and the scan must have been successfully authenticated to verify the fix.
A vulnerability is mitigated when:
-
The vulnerability's IP address or another combination of identifying attributes (IAs) is on the scan's target list. For more information on IAs, see the Tenable Community.
-
The vulnerability's plugin ID is listed in the scan policy.
-
The vulnerability's port is on the list of scanned port ranges, and the remote port is found open.
-
A vulnerability with that combination of IP address, port, protocol, and plugin ID is not listed in the scan results.
Local, Remote and Combined Plugins
-
Local Plugins — Require a successful login. Since these plugins inspect internal files or registry keys, the scanner needs credentials to verify those specific items have been updated.
-
Remote Plugins — Generally do not require credentials. If the scanner can no longer trigger the bug over the network (e.g., the service is patched or the port is closed), it marks it as fixed.
-
Combined Check Exception — If a combined plugin originally reported a finding on Port 0 or 445, it is treated as a local finding. It will not be mitigated unless a subsequent scan authenticates successfully.
Mitigation Requirements
The following table summarizes requirements for vulnerability mitigation:
| Discovery Scenario | Detection Method | Mitigation Requirement |
|---|---|---|
| Local Check | Authenticated or credentialed scan. | Must be mitigated by another successfully authenticated scan. |
| Remote Check | Unauthenticated (Network) Scan | Can be mitigated by any scan that confirms the remote port/service is fixed or closed. |
| Combined Check | Authenticated (reported on port 0 or 445) | Must be mitigated by another successfully authenticated scan. |
| Netstat Expansion | Plugins: 14272 (SSH), 34220 (WMI), 14274 (SNMP) | Must be an authenticated scan. These plugins expand the scan to all active ports. Without authentication, the scanner may skip the port where the vulnerability lives. |
| Thorough | Scan with the thorough_tests attribute. | Must be mitigated by another scan with thorough_tests enabled. |
| Paranoid | Scan with requires_paranoid_scanning | Must be mitigated by another paranoid scan. |
Note: Agent scans cannot mitigate vulnerabilities discovered by a combined type plugin reported on a remote port (not 0/445).