Sophos HitmanPro.Alert is represented by two distinct (separately developed) versions. The version which Software Vulnerability Manager is programmed to detect is the HitmanPro.Alert (standalone). Sophos has decided to port their “bundled” version into their other product named “Intercept X”. The bundled HitmanPro.Alert has similar version metadata of its files as the standalone HitmanPro.Alert, but the bundled product receives security fixes while the public version in the same ranges is vulnerable.
This situation leads to the problem that “bundled” release of HitmanPro.Alert is detected by the SVM as the actual “standalone” version.
This is because the SVM sees the same file names, same file version range as the standalone, and available in the same locations as the standalone on the physical drive. SVM then flags the bundled version as Insecure (which is true for the standalone release), but as this bundled version has been silently patched by the vendor – this assessment status appears incorrect.
To drive continuous reporting on the standalone version, to which we have committed to detect and assess continuously, Flexera will continue to detect the standalone product without changing its detection assessment mechanisms.
This means that customers who run the bundled release that comes with “Intercept X” should ignore the security status displayed in the SVM product. Instead, revert to emailing the vendor and requesting more information on whether their actual bundled release is vulnerable, or it is secure.
Naturally, Flexera is looking to establish a contact with the vendor in relation to this problem; but in the meanwhile, until a good solution is found, please follow the hereby mentioned suggestions if you are running a bundled version of HitmanPro.Alert 3.x.
Feb 05, 2021 05:32 PM