4 Replies Latest reply on Jul 12, 2018 2:36 AM by phoffmann

    Software Monitor Reporting

    ohtlandesk Rookie

      Hello All,

       

      We have a recently noticed something strange with our reporting in Ivanti.

      With the semi regular security vulnerabilities in FireFox we have to run reports on versions installed in the field.

      What we are noticing is that we get duplicate entries for the same Asset/System usually due to two different versions of FireFox.

      Upon physical inspection of the machine there is actually only one version installed on the Asset/System.

       

      Should the software monitoring be updating the version of the software or creating a new entry for the newer version?

      Obviously this is causing major issues with our reporting.

      My manager has asked that I reach out to the community for assistance to try to remediate this.

       

      Also note that we are not currently patching with Ivanti although I am going to try to push for it at least for 3rd party apps.

      We are using WSUS for Windows OS/Office patching.

       

      I appreciate any feedback or assistance.

      Have a great day everyone.

       

      Jason Breech
      Desktop/Video Support Tech
      Ohio Technology Consortium (OH-TECH)
      A Division of the
      Ohio Department of Higher Education
      1224 Kinnear Road, Columbus, Ohio 43212
      Office:
      (614) 688-0997 • Mobile: (614) 668-2664
      [email protected]

        • 1. Re: Software Monitor Reporting
          phoffmann SupportEmployee

          Depending on what you're looking at, that's perfetly normal.

           

          So - let's give you the following example.

          • Device X is on Firefox version 55.0
          • Since then, versions 55.1, 56.0 and 56.5 have been released.

           

          • You're scanning against "all Firefox" vulnerabilities.

           

          What would be expected list of "vulnerabilities" in regards to Firefox?

          • You'd be vulnerable to all 3 "new released" versions (your version is older than 55.1, older than 56.0 and older than 56.5).

           

          You may want to change your list of vulnerabilities you're scanning for to scan for "the latest" one(s) -- which you can do automatically via the following button if you want (Has the benefit of also reducing your scan times, because there's less stuff to scan for ) - click on the image for the full picture. That button will "disable all replaced rules" for you automatically, if you don't want/need to do so "more controlled" (and moves them into "DO NOT SCAN":

           

           

          But if the above makes sense / applies to your environment, this is PERFECTLY nomral and "working as configured".

           

          We give people the option to scan for "pin-point" versions because there's various in-house (usually "Business critical") apps where you can't just upgrade to "the latest version of whatever" (Java is a common thing in this regard, for instance) ... so it's up to YOU to decide "what is OK / what isn't" and thus - what you scan for / what you don't scan for.

           

          There's nothing wrong to scan (and mark as vulnerable) 10 versions of Firefox or "other thing of choice" and concsiously doing so purely to highlight in reports to push "hey, we need to update this thing we rely on, as we're already forced to have a years' worth of exploits & such because of it" .. useful numbers to push CIO's to make certain changes, for instance.

           

          But yeah - I'm assuming that's what you're seeing? Does the above make sense?

          • 2. Re: Software Monitor Reporting
            phoffmann SupportEmployee

            Also, I'd probably recommend against posting phone numbers / e-mail addresses in a public forum.

             

            It's not that I much worry myself, but that's a great way of picking up a lot of spam-mail that's unnecessary / getting annoying calls in

            • 3. Re: Software Monitor Reporting
              ohtlandesk Rookie

              phoffmann,


              Thanks for the response.

              I'll see if I can elaborate a little better.

               

              So we created a Query to get a report of FireFox users in our organization.

              Our query looked like this:

               

               

              When we run it we get the following results:

               

               

              As you can see we are getting a lot more in the way of other software than just FireFox.

               

              Any suggestions?

               

              Thanks,
              Jason

              • 4. Re: Software Monitor Reporting
                phoffmann SupportEmployee

                Chances are there's a minor oversight / mistake in the query. I'd need to look at the Query / DB in detail to see what's what. I would suspect this is a case of "working as configured - not as intended").

                 

                One thing I'm noticing for instance is that you're querying for SOFTWARE.PRODUCT.TITLE -- yet a column you're displaying is SOFTWARE.{something}.NAME ... getting your columns out of sync is a big deal in the query tool .

                 

                For instance, if you're searching for "Product title = Something" -- but the column you're displaying is "SOFTWARE - PACKAGE - NAME" ... then we'll be showing *ALL* the packages on a device .... because no pre-filtering can take place. Yes - the "xxx LIKE FIREFOX" is good, but if you're not using "the right column" on the display, that's not helping you .

                 

                So you may want to try to start with the query from scratch (well - the columns at any rate) in a fresh copy. Use just the default 3 ... and then add JUST the "Software.Product.Title" column to be displayed ... and see how that works?

                 

                That may be enough to point you in the right direction?