Special issue - Cleaning old scan result data in InsightVM without ruining settings for current Asset

We have several instances with variations on the same scenario, which point to needing to clear out the old vulnerability scan results, but which encounters complications.

We have assets that were recycled or had crashed and been replaced by different machines, hence with different hostnames. Those lost / replaced assets as we find them, as long as they are completely off the domain/network, we have to manually remove them from the scan result data. To be expected.

However, there are 2 versions of a recycling scenario that are causing a lot of consternation:

1- The Asset is re-imaged and re-deployed, hence has the same hostname, and as far as Insight seems to claim, it still has the problems that were under its previous image. It appears that InsightVM cannot exactly differentiate between the old and new instances of the asset, given the same name being used, and therefore the old vulnerability information is retained even though the particular vulnerability is no longer on that Asset.

2- The Assets (servers) were replaced by Linux servers instead of Windows servers, but again using the same hostname. And so again, InsightVM still shows the same vulnerabilities for over a thousand days ago, without realizing that the entire file structure is wildly different.

So my question is: How can I set this to completely purge the old scan results and only report on the currently-detected vulnerabilities? With a thousand or so Assets, I really don’t want to have to purge everything and try to rebuild the Asset groups, etc.

I had attempted to set the scan data retention down to 15 days to hopefully purge this old data. But either I didn’t set the right variables, or it isn’t working as designed.

Any insight (pun intended!) would be greatly appreciated!

Thank you,

Dave Leavitt
Technical Operations Specialist
National Flood Services

You mentioned that you tried setting the data retention settings and that’s the first suggestion I would give so if you could verify that and provide a screenshot of the settings that may help. There are also the agent retention and asset retention settings that may come into play here as well.

But for the results and OS not changing on an asset even though the host name has stayed the same I have to assume this system has not had an authenticated scan since the re-image. The first and best thing to do would be to ensure that the system has an Insight Agent on it. With the agent present, the agent would assess the asset and show that those vulnerabilities are no longer present which would eliminate the results for that asset. This goes for the OS as well as the agent reads the OS information directly from the file instead of guessing during an unauthenticated scan. You could achieve the same result by actually passing credentials or using the scan assistant as well if you don’t have the agent present on that machine. But like I said, it is heavily advised to install the agent on all of your systems.