Old Scan found port that are not longer open on new scan

Hello,

I am sure this has been ask before, but when I searched I didn’t find anything.

An old scan was able to find Vulnerable on a server with a specific port that now is no longer open. The port was closed off because it did not need to be reachable, however the Vulnerable is still showing on the server. is there a way to clear the Vulnerable without removing the asset and re-adding it?

hello @jcrews are you able to verify with an nmap scan for that port that it really is closed now?

yes, i am.

I’ve seen a few variations over time. If the issue is implied on a port for example it was discovered through indirect means like for NFS the port isn’t typically discovered with packets to the offending port it’s pulled from portmapper. In this scenario it’s really messy but let me know if the scenario is similar.

The answers vary based on these scenarios. Are you willing to share base level information here about the service that was located and whether there is any additional information about it like does it have banner information that was collected etc. that may help figure out which sort of collection was involved?

I am not 100% sure how they where discover, but i think they where discover by nmap scan and then after the ACL was corrected, the port are block correctly

Sorry, I am new to InsightVm

Then the most straight forward answer without more information is high level that the same check has to have the opportunity to run again to basically set the vulnerability to false. So if you run the scan again make sure that the template that is used has the same checks and is scanning for the same ports etc. I’ve run into situations for this where the port “had” to be re-opened and the service brought up to the proper banner level etc. then close the port. But this usually isn’t worth the effort. One of the fastest resolutions is probably to add an exemption and mark it as mitigated with a note about the mitigation of removing remote access to the service etc. but that only holds as long as the mitigation remains in place.

Maybe someone else will have a more elegant solution.

1 Like