PCI scan reflects vulnerabilities, whereas a Full Audit scan reports no vulnerabilities in Control Compliance Suite Vulnerability Manager

book

Article ID: 154273

calendar_today

Updated On:

Products

Control Compliance Suite Vulnerability Manager

Issue/Introduction

A PCI scan is run on a device. It comes back with a list of vulnerabilities. Remediation steps are taken on that computer, and all missing patches are installed. After running a PCI-Audit scan again, the scan still reports those vulnerabilities as present. A Full Audit scan , ran for the same device here, shows No vulnerabilties.

NA

Cause

The behaviour is as designed. There is a difference in the PCI audit scan, and a Full Audit scan. PCI scan would report potential vulnerabilities too, whereas, a Full Audit would not report potential vulnerabilites. If Symantec CCS Vulnerability Manager cannot prove the vulnerability actually exists, it will classify it as a "potential vulnerability."

Resolution

The behaviour is as designed. There is a difference in the PCI audit scan, and a Full Audit scan. PCI scan would report potential vulnerabilities too, whereas, a Full Audit would not report potential vulnerabilites. If Symantec CCS Vulnerability Manager cannot prove the vulnerability actually exists, it will classify it as a "potential vulnerability."