Vulnerability scans of Symantec applications and appliances

book

Article ID: 162433

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection for SharePoint Servers Protection Engine for NAS Messaging Gateway

Issue/Introduction

A vulnerability scan has been run against a Symantec application, and one or more Common Vulnerabilities and Exposures (CVE) were reported by the scanner.

Resolution

Symantec performs internal vulnerability scans of its products as part of the development and QA process, but recognizes the value of our customers doing independent validation of their organization's security posture.

To ensure that your organization is getting an accurate report please consider the following:

  • Run vulnerability scans against the latest release with all appropriate patches applied.
  • Run vulnerability scans against the normal operating configuration of the product.
  • Run vulnerability scans with a fully updated scanner that has the most recent set of signatures.

Even following these best practices, a vulnerability scan may return some CVEs or other vulnerabilities. For some products, Symantec patches vulnerabilities in libraries or protocols without updating the library or software version. This can result in false positives from vulnerability scanners which do an unsophisticated port and version number scan.

When contacting Symantec regarding the results of a vulnerability scan, please provide the full scan report, as well as details on the scanning software and version.