Vulnerability Mitigation

Tenable Vulnerability Management vulnerabilities exist in one of two categories: Active or Fixed. When Tenable Vulnerability Management discovers a vulnerability on an asset, the vulnerability remains in the Active category until it is mitigated or fixed. Then, the vulnerability moves to the Fixed category.

Active Vulnerabilities

Active vulnerabilities are any vulnerabilities in the New, Active, or Resurfaced states. For more information, see Vulnerability States.

Fixed Vulnerabilities

The Fixed category contains vulnerabilities that Tenable Vulnerability Management determines are not vulnerable, based on the scan definition, the results of the scan, and authentication information. To be considered for mitigation, a vulnerability must be active and successfully authenticated.

A vulnerability is mitigated when:

  • The vulnerability's IP address or another combination of identifying attributes (IAs) is on the scan's target list. For more information on IAs, see the Tenable Community.

  • The vulnerability's plugin ID is listed in the scan policy.

  • The vulnerability's port is on the list of scanned ports.

  • A vulnerability with that combination of IP address, port, protocol, and plugin ID is not listed in the scan results.

Mitigation Exceptions

Note the following exceptions for vulnerability mitigation:

  • Vulnerabilities identified during a thorough scan by a plugin with the thorough_tests attribute can only be mitigated by another thorough scan.

  • Vulnerabilities identified during a paranoid scan by a plugin with the requires_paranoid_scanning attribute can only be mitigated by another paranoid scan.

  • Vulnerabilities discovered by a local or combined plugin reported on port 0 or 445 via a credential scan can only be mitigated by another credential scan.

  • The list of scanned ports can be expanded to “all” ports when one of the following plugins triggered the host:14272 (SSH netstat), 34220 (WMI netstat), 14274 (SNMP).

  • Agent scans cannot mitigate vulnerabilities discovered by a combined type plugin reported on a remote port (not 0/445).