For a while now, we have noticed that when we run an external scan on an asset, the scan results page (not the asset page) is showing items that would normally only be discoverable on a credentialed scan (i.e. installed packages and versions, users, file system, etc.). As I have always understood it, the asset consolidation feature (which we have enabled) is only aggregating data from various scans on the asset page, and the results for a specific scan will be shown on the scan (node) page. For the purpose of trying to understand what is externally exposed on an asset that may present any risk, this is not helpful at all–I want and expect to see only the items discovered from that one scan. I’ve reached out to support on this many times, and the answer I was finally given, from a senior engineer, is that that is expected behavior for the asset consolidation feature, and that if we want to see only external scan results, then we need to set up a separate console to do just external scanning…
This is absolutely absurd to me, that a VULNERABILITY MANAGEMENT PRODUCT does not support one of the most core tenets of vulnerability management: determining the external attack surface of an asset, without having to put it in a lot of extra work to stand up and configure a SECOND console. Furthermore, there would be no syncing of the two consoles, so we would have to check a different console whenever we want to see internal or external scan results of an asset.
I would like to know if anyone else has experienced this, and if any contact with R7 support has already been made. I cannot believe this is expected behavior, but maybe I’m missing something…