We have several instances with variations on the same scenario, which point to needing to clear out the old vulnerability scan results, but which encounters complications.
We have assets that were recycled or had crashed and been replaced by different machines, hence with different hostnames. Those lost / replaced assets as we find them, as long as they are completely off the domain/network, we have to manually remove them from the scan result data. To be expected.
However, there are 2 versions of a recycling scenario that are causing a lot of consternation:
1- The Asset is re-imaged and re-deployed, hence has the same hostname, and as far as Insight seems to claim, it still has the problems that were under its previous image. It appears that InsightVM cannot exactly differentiate between the old and new instances of the asset, given the same name being used, and therefore the old vulnerability information is retained even though the particular vulnerability is no longer on that Asset.
2- The Assets (servers) were replaced by Linux servers instead of Windows servers, but again using the same hostname. And so again, InsightVM still shows the same vulnerabilities for over a thousand days ago, without realizing that the entire file structure is wildly different.
So my question is: How can I set this to completely purge the old scan results and only report on the currently-detected vulnerabilities? With a thousand or so Assets, I really don’t want to have to purge everything and try to rebuild the Asset groups, etc.
I had attempted to set the scan data retention down to 15 days to hopefully purge this old data. But either I didn’t set the right variables, or it isn’t working as designed.
Any insight (pun intended!) would be greatly appreciated!
Thank you,
Dave Leavitt
Technical Operations Specialist
National Flood Services