Find vulnerabilities using ColorTokens vulnerability scanner
ColorTokens vulnerability scanner reports (Common Vulnerabilities and Exposures) CVE vulnerabilities associated with the software packages found on the assets. The software packages data is collected after agents are installed and registered with the Xshield instance. This inventory data is updated if the software versions on the assets change.
CVE vulnerabilities are reported by leveraging vFeed's Vulnerability Intel service. This integration with vFeed is synchronized periodically and on-demand to ensure that the new vulnerabilities are reported soon. See vFeed Vulnerability Intel for more details.
Currently, the ColorTokens vulnerability scanner reports vulnerabilities only for managed Windows assets.
Expected behavior
For existing instances
For existing instances that have integrated a Nessus vulnerability scanner, the integration is undisturbed. However, the Vulnerabilities and CVSS Score columns on the Assets page do not display data until the Xshield's next fetch schedule (12 AM GMT) is run to fetch the Nessus scan results. If you want to see data in these columns immediately, go to the fly panel of an asset and click Fetch Now to fetch the Nessus scan results for all the assets managed from the instance.
For existing instances that did not use the Nessus vulnerability scanner, the behavior is the same for new instances.
For new instances
For Xshield instances created after this release, the ColorTokens vulnerability scanner is activated by design. You can see the CVE vulnerabilities on the managed assets in less than a few minutes after you install the agents on the assets.
Activate Colortokens vulnerability scanner
Activate the ColorTokens vulnerability scanner when you want to switch from the Nessus scanner. It may take a few minutes for the ColorTokens vulnerability scanner to report the vulnerabilities data for the assets.
|
|
Interpret vulnerabilities data for an asset
The vulnerabilities and their details are displayed on the Assets page and the Asset fly panel.
Assets page
Go to the Assets page and see the Vulnerabilities (total number of vulnerabilities) and CVSS Score (highest of the CVSS scores of the CVEs on the asset ).
Asset fly panel
Go to an asset's fly panel to see the complete list of vulnerabilities on the asset, their CVSS scores, and publication dates, and the ports involved with the vulnerabilities. You can also see what scanner (Nessus scanner or ColorTokens scanner) reported these vulnerabilities.
If there are ongoing efforts to fix the vulnerabilities on the assets, click Fetch now to fetch the latest exposure data of the asset.
|
|
How to use ColorTokens vulnerability scanner
You can use ColorTokens vulnerability scanner for Windows workloads in One of the following ways:
-
See the actual list of vulnerabilities - for Observed workloads, the actual list of vulnerabilities is displayed soon after activating the ColorTokens vulnerability scanner. For enforced workloads, you must move the workloads to Observe mode to let Xshield consider all open ports on the assets to report all the vulnerabilities.
-
Quickly improve the risk posture by blocking vulnerable ports - if you see Critical or High vulnerabilities on an enforced workload, you must consider blocking the relevant vulnerable ports by updating the Xshield policies enforced on the workload. Fix the vulnerabilities with patches and revert the policies on the workload.
Switch to Nessus scanner
Switch to Nessus scanner if you want to scan for vulnerabilities on assets of non-Windows OSes managed by an instance. You will see the vulnerabilities data for assets (in Xshield) only after you scan the assets using the Nessus scanner and fetch the scan results or wait for Xshield's next fetch schedule (12 AM GMT, every day) to fetch the scan results. See See vulnerabilities data from Nessus Scanner for more details.