The network map on the Vulnerabilities tab displays vulnerabilities that the system has detected on your network, organized
by legacy vulnerability ID (SVID), CVE ID, or Snort ID.
From this network map, you can view the details of specific
vulnerabilities, as well as the host profile of any host subject to a specific
vulnerability. This information can help you evaluate the threat posed by that
vulnerability to specific affected hosts.
If you determine that a specific vulnerability is not applicable
to the hosts on your network (for example, you have applied a patch), you can
deactivate the vulnerability. Deactivated vulnerabilities still appear on the
network map, but the IP addresses of their previously affected hosts appear in
gray italics. The host profiles for those hosts show deactivated
vulnerabilities as invalid, though you can manually mark them as valid for
individual hosts.
If there is an identity conflict for an application or operating
system on a host, the system lists the vulnerabilities for both potential
identities. When the identity conflict is resolved, the vulnerabilities remain
associated with the current identity.
By default, the network map displays the vulnerabilities of a detected application only if the packet contains the application’s
vendor and version. However, you can configure the system to list the vulnerabilities for applications lacking vendor and
version data by enabling the vulnerability mapping setting for the application in the management center configuration.
The numbers next to a vulnerability ID (or range of
vulnerability IDs) represent two counts:
- Affected Hosts
-
The first number
is a count of non-unique hosts that are affected by a vulnerability or
vulnerabilities. If a host is affected by more than one vulnerability, it is
counted multiple times. Therefore, it is possible for the count to be higher
than the number of hosts on your network. Deactivating a vulnerability
decrements this count by the number of hosts that are potentially affected by
the vulnerability. If you have not deactivated any vulnerabilities for any of
the potentially affected hosts for a vulnerability or range of vulnerabilities,
this count is not displayed.
- Potentially
Affected Hosts
-
The second
number is a count of the total number of non-unique hosts that the system has
determined are
potentially affected by a vulnerability or vulnerabilities.
Deactivating a vulnerability renders it inactive only for the
hosts you designate. You can deactivate a vulnerability for all hosts that have
been judged vulnerable or for a specified individual vulnerable host. After a
vulnerability is deactivated, the applicable hosts’ IP addresses appear in gray
italics in the network map. In addition, host profiles for those hosts show
deactivated vulnerabilities as invalid.
If the system subsequently detects the vulnerability on a host
where it has not been deactivated (for example, on a new host in the network
map), the system activates the vulnerability for that host. You have to
explicitly deactivate the newly discovered vulnerability. Also, if the system
detects an operating system or application change for a host, it may reactivate
associated deactivated vulnerabilities.