We assets that are credentialed scanned with R7 Scan Assistant. When looking at the asset summary page in the Security console, we repeatedly find software showing as being installed after new scans that was in fact previously removed.
Asset is credentialed success with Scan Assistant
Proof column only states software name is installed.
Software was uninstalled prior to most recent scans
Said software still shows installed after new scans
Said software does not show installed when checking locally on asset
Other software inventory tools do not said software as being installed.
Are there vulnerabilities on the device associated with this software? If so, check the proof of the vulnerability and see where it is being detected from. There is always a possibility there are remnants on the device and that is what the scan is detecting.
Already checked that; the proof is not helpful in this case. It just states ‘softwarePackageName installed’ in the proof column and not key column info.
I am seeing a potential growing issue where assets with Scan Assistant and that show outdated software installed on Security console asset summary page. When checking the latest scan results for the asset, it indicated credentialed scan success, and it continued to show inaccurate info. under software installed section. I validated this by locally checking the assets installed software and software packages that were previously installed month ago, and are no longer, are still showing in Rapid7 Security console as installed.
I continue to work an R7 support case on this issue…