[Update: Please Use Ideas Portal Beginning December 2020] We Still Want Your Ideas about Software Vulnerability Management Products!
[IMPORTANT UPDATE: 9 December 2020] Great news - Our Flexera customer and partner community now have a direct opportunity to share ideas and participate in future feature planning. Learn more and add your ideas via the Ideas Portal moving forward. Please note if you have added an idea to this discussion, we will migrate the idea to the new portal and notify you once it's been done. Thank you to everyone for active participation!
You may notice that we don’t currently have a replacement for the Ideas functionality here in the new community. This is temporary-- we are planning to launch ideation as a feature of this new community later this summer. In the meantime, please this discussion forum to continue to provide product feedback on Software Vulnerability Manager (SVM) and Software Vulnerability Research (SVR). Please don’t worry about reposting ideas you may have previously submitted; when the ideation capability is reintroduced here it will include any feedback you may have previously provided.
This thread has been automatically locked due to inactivity.
To continue the discussion, please start a new thread.
Despite not being able to use automated patching with Mac, we are using it for monitoring. We also have Windows environment.
I would love to add a dashboard item that separates the most critical and most common advisories out by OS. It would make manual patching for Mac, if I had that available in 1 click.
It would be great if the Product Smart group for OS e. g. Windows 10 would show per device more detailed information.
At the moment post scan it only shows e. g. "Windows 10 Enterprise, WinNT, Terminal Server 16299
This data are kind useless for us. This number only indicate if this is e. g. 1709, 1809 etc OS version.
If a scan was run on the device and SVM shows as secure. I have no idea if this is valid or not. The only way to narrow this down would be to show 17763.864 instead as shown in MS table. This way we know 100% that your scan patch level is latest November MS CU patch level: KB 4523205
This information already exist as basic stuff on each Windows 10 device and are shown to the user under system. The SVM scan is able to show missing hotfixes but for "secure" device we have no chance to know the latest KB install which state it is secure. This way we have to go back to last scan data and then again go back to SCCM to check this. This way the view of this is for us not useful and can't be a valid source for dashboards.
We have already to export all hosts from this smart group to generate a Pivot table. Just our security team don't accept this data set as it is not visible on the time of export creation what is the real patch level of the device (as scan could be 1 day, 2 weeks, 1 month etc last time done).
Can this be added going forward to help us to properly audit security for the OS?
the SVM solution is today only reactive view of data sets scanned of the devices. We end up quite often that a software become secure/unsecure and switch to EOL or product discontinued. This way technically the company become unsecure as no patches anymore without a pre-warning.
It would be nice to have an different column or header or an smart group which warns us using SVM when a product reach end of life. This information is known and published by most vendors. Like this happens with Windows 7. I assume all should know the last security patches next year. But for some it might be a surprise in Jan 2020 🙂
The same apply to all other vendors or products. It would help to make your product better and allow customers pro active to do work vs reacting all the time only.
Thank you for this feedback. Yes, today the data we supply is EOL status, not EOL date but we do have this in other areas of the Flexera business (like FNMS and Data Platform). We are working to unify our back end data so we can better connect and expose valuable data like this in the future.
we would like to be able to monitor devices for their integration with scans. There is today technically no way to generate a host smart group which can filter by "Scan status" from "Completed Scans" section. The only way is to export and filter in Excel or PowerBI.
We would like pro-active to have smart groups where we can combine devices which does not have a "succes: OK" state of our configuration and been able to report/export those data for monitoring reasons. E. g. one off issues, dedicated sites, offices or devices issues to send data back.
Technically filter by "Scan Status:
"Failed: Communication Error"
"Failed: Resolving Host"
"partial: Windows Update failed"
and on top to above then "Results Exist" or not to narrow down further on those devices which have issues.
I will try to explain an issue. If you have devices random failing on completed scans with various errors. The completed scan shows you an high level error. There is zero details behind this message like Partial, Failed Communication etc.
The technical Problem is if you want to debug the only way is to enable the logging with -v or -v -v or -v -v -v depending on the needs. The issue is that if you set it:
1. service need to restart to pick it up
2. it stay forever or you have to roll it back per device or device group
3. it contain too much info potentially which is required only for debug troubleshooting when you know what a high level issue might be.
It would really help if there would be in settings or on per device level where you can turn on logging temporary only or for a timeframe of xy days.
On top of that instead of showing only an error in completed scans. It would be much better if there was a reason code (which is happening anyway on each device when issue appears) been written to the error as an own column or to an additional SQL table. For example the communication could mean a lot. But if we could have this data captured with a reason code we could export, pivot and troubleshoot on the most common problem.
Today, you have to do it all manual with client logging enable which is on high scale of devices like impossible. Specially when an issue is random and can't be reproduced this option isn't ideal as you would need to turn on logging on all devices and then grap manual from each device the log file and then clean it afterwards.
I hope it make sense but this would make our life much easier.
We have a security requirement to monitor EOL products more closely. As in general EOL or discontinued could be classified as unsecure from that point as vendors don't patch anything anymore.
We would like to be able to build Product Smart groups based on when they become the status of EOL or discontinued.
EOL - over 14 days high or above
EOL- within 14 days high or above
EOL- within 14 days medium or Lower
EOL - over 14 days Medium or lower
I've use SAID creation date as trigger. Support confirmed this does not work as Secunia do not post SAID or Criticality ratings for EOL or discontinued.
This way we have no way to use the data we have and easy monitor changes in the out of the box "End-of-Life-Products" product smart group. This is really annoying as we can't meet our security team requirements and then end up again to compile this manual vs vendors pages constantly.
Hi, We have found several examples on SAID's which are reported with a 'No fix' which are causing a lot of unnecessary distrust in the communication which we provide to our users and customers.
It is typically occurring on products like; Google Chrome and Firefox.
This is apparently caused by the version linked to the SAID is marked out-of-support by the vendor, but the solution is to upgrade to the next version, which also is stated in the SAID.
But the solution in the top of the documents are misleading while it is getting marked with 'No Fix'.
not sure when the beta enhancement page will be available to all again. This way going back to the old way of communicate.
We have the problem that we installed the Daemon to perform scheduled reports. That is a great option. But we want to export the data e. g. weekly or monthly and keep the previous version. The export option does not support any wildcards in the file name e. g. DD-MM-YYYY or anything which would have a fixed value and a dynamic value.
This way we can run the same export scheduled without override on our export source. We end up now to have a scheduled task to move data away which is annoying.
Dear all, I am looking for the additional data and features to get implemented
- Vendor patch publication date: At which date the vendor has the patch been released, This may sometimes differ from the advisory creation date
- Change log about the "Solution Status" field
- Date / Time when Flexera has imported the advisory first time into SVR
Both would help to show evidences for audits and regulators in regards to sustainable patch deployments. They often refer to the advisory date but in fact if the patch becomes late available we also are late in the patch deployment. Status log changes would also help here to bring more transparency for audits reviews.
Dear all, We are currently using the REST API endpoints of Flexera. The CPE information is useful to identify the exact affected products of an advisory and get these in a normalized /standardized format.
Flexera SVR is providing CPE information at the "Advisory" Endpoint but not at the different "product" endpoints. May I ask you to add there this information as well?
Thank you regards
I wish it was possible that hosts with different windows update settings (Use a managed Windows Update server, Use the official Windows Update server, Use the official Microsoft Update server, or Use offline method: path to .CAB file) could connect to one svm partition and have successful scan (Success: OK).
That could work as follow.
1. agent try to use one of the options to check windows update, if there does not work it fails-over to other option before it gives scan status Partial: Windows Update failed
2. in the next scan it remembers the successful method from previous scan and it starts with that option.
I have 2 requests related to Smart Groups:
- Our workstation compliance team is already in SVM to find information about what to patch. It would be great if we could have a smart group that helps them find workstations that are missing required software (A/V, other monitoring tools, etc).
- Currently, Smart Group rules only allow to match on All or Any of the criteria. It would be great to combine them (i.e. "Product Status = End of Life" and ("Vendor contains Mozilla" or "Vendor contains Google")) This would allow us to create Smart Groups for our different product management teams.
- This could also be accomplished by offering the ability to include other Smart Groups in the criteria for new Smart Groups (i.e. Product Status = End of Life and output from Smart Group (3rd party browsers)
Love this idea. I invite you to be among the very first to contribute to the SVM Ideas board where other community members can discuss and vote on this as a future enhancement. Look for the "Flexera Ideas" button on the SVM community home page.