Automatically exclude vulnerabilities

Ignoring policies automatically ignore vulnerabilities related to one or more technologies on an asset.

Create and manage ignoring policies

Ignoring policies management is available in the “Automatic actions” menu via the “Ignoring policies” item.

To create an ignoring policy related to one or more technologies:

  1. Go to Settings > Ignoring Policies.
  2. Click on the “Add” button at the right of the “Ignoring policies list” title: this will open the Ignoring policies creation form.
  3. The following fields should be filled:
    • the name field with a name given to the new Ignoring policy.
    • one or more keyword fields; these keywords will allow Cyberwatch to identify the technologies associated to the CVEs we want to ignore.

A good practice to choose keywords is to pick them up in the technologies names shown in the “Patch management” tab associated to an asset:

  1. Go to “Inventory”.
  2. Select an asset that is using the technology to which we want to associate an Ignoring policy.
  3. Go to the “Patch management” tab and pick one or several keywords up in the “Technology” column.

It is also possible to proceed with a target_package research:

  1. Go to “Inventory”.
  2. In the search bar, write for example target_package:chrome and validate.
  3. Cyberwatch will only show the assets with a patch for Chrome.

Once the Ignoring policy is created, it is necessary to assign it to an asset.

Assign an ignoring policy to an asset

Go to the “Inventory” page and click on the “Edition” button to display the “Ignoring policy” column.

This column is editable and allows assignment of an ignoring policy to an asset. An asset can only have one ignoring policy.

It is possible to assign an ignoring policy to several assets via the “Inventory” page.

To do this:

  1. On the Inventory page select the concerned assets.
  2. Click on the “Bulk edit” button.
  3. Click on “Update ignoring policy” then on the name of the ignoring policy.

Please note that:

  • the Ignoring policy will take effect with the next analysis automatically launched after the assignment.
  • ignored CVEs will appear grayed out at the end of the vulnerabilities list.
  • new assets do not carry exclusions by default. A convenient method to manage these additions is the use of rules: rules allow the application of an exclusion to all the assets that respect a criterion.
  • deleting the Ignoring policy will not remove the filter: this can be done manually asset by asset.

Example

Procedure to ignore automatically vulnerabilities related to Java and KB #4021558 on all the asset in charge of production:

  1. Click on the Settings > Ignoring policies item
  2. Create an ignoring policy named “EXCLU_ENV_PROD” with two keywords: “Java” and “KB4021558”
  3. On the Inventory page select the concerned assets.
  4. Click on the “Bulk edit” button.
  5. Click on “Update ignoring policy” then on the name of the policy (here “EXCLU_ENV_PROD”).