Community Wishes and Hopes :)

Hi,

we are using R7 since 2 years and have a few customers.
My primary part is insight VM.
I worked with different vuln scanner before and think R7 is pretty good, but a few things are bothering me.
Asset Duplicate: A thing which is often discussed here and there is no change. Asset Linking Update a few versions ago was absolute … Also that there is just a overall retention policy and no possibility to make a retention policy on different asset groups. Why should i keep a phone, which was scanned 20 days ago in the guest Wifi? On the other hand I want to keep the records of my road warriors which are not daily online. I can only define a number and it will enforce on all assets.

Scan Templates: Last Update from support was, that if you change the default scan template, it will not include new vulns? Did this change, or is it the same?

Alerting/Notifications: The Teams Notifications are pretty nice, but the builtin notifications are not that great it is getting worse, if you are working on multiple customers.

Tamper Protection Agent: Still nothing (Friends in IDR are not happy about it)

Dashboards Insight IVM vs IDR: No cards to edit like in IDR :frowning: feels a bit like stoneage :stuck_out_tongue:

SSH authenticated scans on different port: If it is not on port 22 you have a lot of trouble to scan the asset, is there change in the future?

And last point … no light mode in Insight VM :stuck_out_tongue:

I know there were a lot of negativ points, but maybe the community will look it up and also has some points in common.

Hope to see some good features in the future :slight_smile:

1 Like

Hi! @jrossmann

I aggree with you in most things.
In my case I also work with multiclient. The part of Dashboards in VM is as you say a little bit old. I would love to edit the cards and make some nice graphics, to add to a executive report.

It could be cool that R7 transforms some graphs of the reports, that are very nice, to cards.

If you have filled an IDEA with any of the features you want feel free to post it so I can add to it.

Thanks for sharing!

Ruben.

1 Like

I am also seeing the Asset Duplicate. We just found an Asset that has duplicated itself 500 times in the past few days. Also the retention policy is a hit and miss if it really removes the devices. We had an issue with a ton of stale devices and the only fix was reinstall, which caused duplicate entries and the system is taking sweet time to clear out the duplicates that meet the requirements.

1 Like

PowerShell Guy w/ RESTMethod API calls:
The way I handle removing certain assets is create a detailed dynamic asset filter group. Then have scheduled task management run a daily PowerShell script that deletes all things within that group.

For duplicates, I run a script that pulls down all assets, sorts by IP and LastScanDate. Then from there I run through a Foreach, comparing index[0] IP and MAC address w/ index[1]. If equal then send index[0] to a csv file as a dupe (since LastScanDate is sorted older to newer, index[1] would be the newer scan) for me to review…and probably run another script to remove.

I don’t run it very often and I like to review before deleting, so I don’t have this set up w/ an automated task.

1 Like

Hi,

so you are running the sheduled task on the console? So you also provide the passwort in cleartext in the script? I also was thinking about that, but would be nicer if R7 just would add dynamic retention policies :slight_smile:

  1. Scheduled tasks on a windows server
  2. Script calls an encrypted text file
  3. Sorry, thought you were asking for a stopgap.

I understand the steps
Some thoughts on this one:
There is one issue, if the attacker enters the mashine and escalates the privileges he can decrypt your file and find the pw. (worst case)
Problem of the API:
The authentication needs the pw in clear text, after the powershell script it can use base64 for authentication. So you need smth, where the password is stored and can be used from saved spot.
So you use credential store in your pw script. But it can also be reversed, if the attacker can enter the mashine.
Point on your side :slight_smile: if the attacker is on the mashine and he knows how IVM works, he can reset the password in interactive mode. :stuck_out_tongue:

I know R7 does not want to implement it because of licensing… But also VDI duplicates and the new asset linking are not the current best practice …

So I was thinking this through, but decided to not implement it.