As an admin using Rapid7 InsightVM, when I check an alert from Rapid7, I go to the asset and see in the proof section that the alert and vulnerability were triggered due to the presence of a file located in WINDOWS\CURRENTVERSION\UNINSTALL, which belongs to an outdated version of an application used by the asset’s user. This is clearly a false positive. I’m sure there are dozens of assets in the system with the same situation, and this is affecting the overall risk score.
My question is: is there a general setting that allows the scanner to treat files found in this path as false positives and not consider them as vulnerabilities?"
6 Likes
At first I thought the same when I started using the product 3 years ago. But let’s think about this logically. The file in this path still remains on the system and if someone gets on the box and moves laterally, they can restore this file to a specific place and exploit it. While this may not be specific to this file, it will be to log4j files for example or openssl older exe files. The same logic applies overall. Same when deleted files are in the uninstall hidden folder, they still remain on the machine, Wouldn’t you want to know this type of information?
1 Like
We have run into the same issue(s) at our company. i think rapid 7 should consider including a verification of availability of the executable/file for the registry referred filepath for the detection rule(s). Just relying on a registry key alone is low quality data / proof right?
2 Likes