McAfee Vulnerability Manager

This page documents information for users of McAfee Vulnerability Manager (MVM), previously called Foundstone. The typical MVM user is someone who administers servers, and wants to check for vulnerabilities on those servers from a remote host that can centrally store reports and details about the scans performed. The MVM appliance allows for the creation of scans that can determine the existence or absence of security patches, misconfiguration of installed software, installation of unwanted software, etc. The information below provides information about the creation of these scans.

Requesting Access to the MVM Server

MVM access is granted to users by Organization. An Organization is simply a logical object assigned one or more ranges of IP addresses. These are the ranges of IP addresses against which MVM scans for that Organization can be created.

If the range(s) of IP addresses to be scanned is not yet assigned in MVM, a new Organization, a user account, and the assignment of proper IP address range(s) needs to be created to allow for the creation of MVM scans. If an Organization with proper ranges of IP addresses already exists, only a user account needs to be created to allow access to the existing Organization.

To request access to the MVM server, send the necessary information listed above via email or create a JIRA ticket.

Accessing the MVM Server

The OIT managed installation of McAfee Vulnerability Manager is hosted at https://netscanweb.oit.uci.edu

To login to MVM:

• Organization is always "UCI" regardless of who is logging in.
• User Name field is the same as your UCInetID.
• Password is your MVM password. This password is specific to MVM and is NOT synchronized to your UCInetID/WebAuth password.

Creating an MVM scan

The following is a quick overview of the most basics steps to create a new MVM scan. Please read the manual for complete information about all of the available settings and choices.

1. To create a new scan, select New Scan from the Scans menu on the MVM home page
2. Normally, you will want to select Use McAfee Vulnerability Manager's default settings for a new scan
3. On the Targetstab
   
   • Create a new name for the scan in the Name text box
   • Select or enter the IP address(es) or ranges of IPs for the scan to run against
4. On the Vuln Selection section of the Settingstab
   
   • Check the boxes for the potential vulnerability categories to scan for against the selected hosts. (Note the items below on both ensuring new MVM scripts are used, as well as the difference between non-intrusive and intrusive scans)
5. On the Credentials section of the Settingstab
   
   • Add a credential (or credentials) for the host (or hosts) the scan will run against (Note the item below on the importance of authenticated scans)
     NOTE Do not enable any of the options on the Web Module section of the Settings tab as these options are obsolete
6. On the Reportstab
   
   • Clear the Create remediation tasks check box (if applicable)
   • Select the types of desires reports in Reporting Options
   • Clear any checkboxes for irrelevant or unused types of reports in the Vulnerability Reports section of the Reports Sections to include in the report
   • Clear the obsolete Web Assessment checkbox in the Vulnerability Reports section of the Reports Sections to exclude it from the report
7. On the Schedulertab
   
   • Select the proper options for schedule the scan in Schedule Type and Schedule Details sections
   • Select the Active radio button in the Activation section (if you want the scan to run as now scheduled when the scan is saved)
8. Click the OK button to save the scan

Viewing MVM scan status

As an MVM scan is running, you may want to view its progress. Alternatively, you may want to view the information of previous or scheduled, upcoming scans.

1. To view scan status, select Scan Status from the Scans menu on the Foundstone home page

Viewing MVM scan reports

As an MVM scan is running, you may want to view its progress. Alternatively, you may want to view the information of previous or scheduled, upcoming scans.

1. To view scan reports, select View Scan Reports from the Reports menu on the MVM home page
2. Select the Scan Reports radio button in the Completed Reports section to view past reports

Other Important MVM Information

Understanding the difference between Non-intrusive and Intrusive scans

In the Vuln Selection section of the Settings tab, there are two similar looking sections of scan options to select, with a difference of the top level options of Non-Intrusive and Intrusive. Non-intrusive scans are those designed not to cause potential interruption to the host operating system or services of the host being scanned. Intrusive scans are those that may (but are not guaranteed) to cause potential interruption to the host operating system or services of the host being scan. Select the scans as are appropriate for the type of host, and the host's use.

Ensuring that new MVM scripts are used

Due to the way MVM is designed (for regulations compliance), when a scan is created, only those scan options selected will be used for subsequent scans. This means that if a newer scan option is added by a MVM update, it will not be included in your scan by default. (i.e. If a new Windows bulletin is added to the Patches Only sub-section of the Windows Vulnerability scan section in February and your scan was created in January, it will not be included in your scan by default.)

This "stuck in time" effect will cause your results to be less accurate as time passes. To avoid this behavior, while creating a scan be sure to click the Advanced button on the Vuln Selection section of the Settings tab, and check Run New Checks for those scan options you've selected.

Understanding the importance of Authenticated scans

An MVM scan can be created where no credentials are entered on the Credentials section of the Settings tab. The resulting scan, however, will use only the scans that can run with NULL credentials, or those requiring no authenticated access at all. This scan will not be very effective as the majority of the scans that can be run against hosts (especially on Windows) require credentials to determine if a vulnerability exists or not.

In the MVM Updates documents sent to the mailing list by McAfee, these are noted with CATEGORY REQUIRES CREDENTIALS.

Ensuring that MVM can scan hosts

In order to ensure the OIT managed MVM installation can properly scan your hosts, you need to ensure that the MVM scan engine can access the desired hosts. Verify the following:

1. Any network based firewalls (Cisco ASA or Sonicwall) are configured to allow all TCP, UDP and ICMP access from only netscan.oit.uci.edu (128.195.161.50) to the hosts indicated in your scan
2. Any host based firewalls (Windows firewall, Symantec firewall, Mac OS firewall, iptables) are configured to allow all TCP, UDP and ICMP access from only netscan.oit.uci.edu (128.195.161.50) to the hosts indicated in your scan
3. Windows File and Pring Sharing is enabled and Windows Simple File Sharing is disabled

Frequently Asked Questions

What browser requirements are there for using MVM?

• MVM works best with Internet Explorer or Firefox. Safari on Macintosh exhibits some undesired behaviors (including not showing the Logout button).
• MVM 7.5 now no longer requires a Java Virtual Machine to be installed on a host.

There are three (3) fields for the MVM login? What are these?

• The Organization is always "UCI" regardless of who is logging in. The User Name field is the same as your UCInetID. The Password is your MVM password. This password is specific to MVM and is NOT synchronized to your UCInetID/WebAuth password.

I entered an IP address of a host I'd like to find in my reports in the IP address field on the MVM homepage, but instead of search results, I received the message Scan Saved. Why is this?

• The button next to the IP address field is actually labeled Scan instead of Search, so you actually just started an MVM QuickScan of that host. (Don't worry, you're not the first one to do this; almost everyone does at first.)

What IP address do I need to allow through my firewall to allow for MVM to scan my host(s)?

• The MVM scans will originate from 128.195.161.50 (netscan.oit.uci.edu)

How do I change my password to login?

1. To change your password, select Users/Groups from the Manage menu on the MVM home page
2. Browse to your user account within the Users folder of your Workgroup in the UCI Organization
3. Right click on your user account, and select Properties
4. Enter your new password, in both the Password and _Confirm Password boxes, and click OK to save your changes.

I'm seeing information in my logs that look like MVM scans that are not coming from 128.195.161.50 (netscan.oit.uci.edu). Should I be concerned?

• You may see scanning coming from hosts with DNS entries in the form of fscanx.nac.uci.edu (where x is a digit). These are the MVM scans operated by McAfee installed appliances on campus.

McAfee Vulnerability Manager Images