Name of Your Organization:

Positive Technologies CJSC

Web Site:

http://ptsecurity.com

Compatible Capability:

MaxPatrol

Capability home page:

http://maxpatrol.com

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

MaxPatrol is a software that is sold by channel partners of Positive Technologies company or directly by Positive Technologies itself.

Mapping Questions

Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

MaxPatrol operates with vulnerability database that is updated on a weekly basis with latest vulnerability and CVE mapping information. The database does not include CVE entry content but only mapping information and links to CVE Identifiers. When new CVE entries are discovered the appropriate mapping information is added to vulnerability database rather than merging the complete CVE database into MaxPatrol vulnerability database each time there is a CVE version update. That is why MaxPatrol does not indicate a version number of last CVE database used.

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (required):

MaxPatrol’s vulnerability database is updated on a weekly basis with latest vulnerability and CVE mapping information. The database does not include CVE entry content but only mapping information and links to CVE Identifiers. There is a special department in Positive Research Center which provides mappings. Mapping information is generally taken from notifications of various vendors. Any discrepancies in MaxPatrol’s CVE references are typically resolved by the time of the next update release.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CVE content (required):

Information about new CVE IDs is added to MaxPatrol knowledge base with regular updates. MaxPatrol update policy is explained at the beginning of paragraph 6 "MaxPatrol Update System" of MaxPatrol user guide.

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):

We do not outpace MITRE in adding information about new vulnerabilities discovered into database. So MITRE publishes new CVE entry first and only then we include information about that vulnerability into our product. That detailed information is typically taken from vendor notifications where links to appropriate CVE entries are provided. Such way we provide mapping of MaxPatrol vulnerability database information to CVE IDs.

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

MaxPatrol vulnerability database does not include CVE entry content but only mapping information and links to CVE Identifiers. Any discrepancies in MaxPatrol’s CVE references are typically resolved by the time of the next update release.

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

MaxPatrol vulnerability database does not include CVE entry content but only mapping information and links to CVE Identifiers. Detailed information about vulnerabilities along with CVE mapping information is typically taken from vendor vulnerability notifications where links to appropriate CVE entries are provided.

Documentation Questions

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

Section 5.4 "The support of CVE" of MaxPatrol Administrator Guide.

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability’s repository (required):

Section 5.4.2 "Filtering vulnerabilities by CVE IDs" of MaxPatrol Administrator Guide.

Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability’s repository (required):

Section 5.4.1 "CVE output" of MaxPatrol Administrator Guide.

Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

MaxPatrol documentation includes no index.

Type-Specific Capability Questions

Tool Questions

Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

User can create vulnerability groups which can later be used in scan tasks and report tasks. If a vulnerability group is specified in a scan task, the system does not perform a full scan to detect all known vulnerabilities but searches for the vulnerabilities you have specified. User can also configure a report to contain information about the specified vulnerability. In this case, the system conducts a full scan to detect all known vulnerabilities but the generated report will contain data about the specified vulnerabilities.

Vulnerability group can be created, among other ways, by specifying vulnerability CVE names. To do that, perform the following actions in MaxPatrol console:

Finding Tasks Using CVE Names

Finding Tasks Using CVE Names

Finding Tasks Using CVE Names

  1. Go to the "Configuration" tab at the top bar.
  2. Go to the "Groups" tab at the left bar.
  3. Create your group at the left panel.
  4. Open the new group folder.
  5. Go over to the right panel and choose "Advanced search" at the top-right.
  6. In the appeared window, choose "CVE" from "Vulnerability identifiers" dropdown menu.
  7. Enter CVE Identifiers one name per line into the proper field.
  8. When finished, run searching by pressing "OK" button.
  9. On the right panel select all the vulnerabilities found and add them to your custom group at the left panel. Your vulnerability group is ready to use.

User can also configure data about the vulnerabilities to be sorted by CVE names in the report by specifying CVE names separated by commas in the report settings. To do this, in MaxPatrol console take these steps:

Finding Tasks Using CVE Names

  1. Go to the "Reports" tab.
  2. Create a new report template.
  3. In the "Report type" field, specify a report type: "Information" or "Differential".
  4. In the "Data filter" field, select the "By field" check box and select "CVE" from the dropdown list. In the empty field, specify the CVE names separated by commas.

Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

MaxPatrol always includes CVE IDs of found vulnerabilities into its reports if applicable. CVE ID is always shown right beneath the title (which specifies type) of a vulnerability found and its Positive Research ID and is hyperlinked to the relevant page at cve.mitre.org. The same hyperlink is also provided in the section "Links" of vulnerability description. See below for an example of such an output:

Finding CVE Names Using Elements in Reports

Media Questions

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

MaxPatrol can generate scan report documents in PDF, MHTML and XML formats. Those reports contain, among other, vulnerability information being accompanied with proper CVE IDs and links to their relevant descriptions at MITRE website. PDF format can be searched using a reader or an editor; MHTML can be searched using a browser. In XML the global_id tag with name parameter set to "CVE" is used which can be parsed by means of any XML parser. The following is an example of such a tag: <global_id name="CVE" value="CVE-2009-0758"/>.

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

MaxPatrol always includes CVE IDs of found vulnerabilities into its report documents if applicable. CVE ID is always shown right beneath the title (which specifies type) of a vulnerability found and its Positive Research ID. If "Vulnerability Description" parameter of scan report is not set then only vulnerability titles and IDs, including CVE ID, are shown in report documents. See below for an example of such an output.

Electronic Document Listing of CVE Names

Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CVE name(s) (recommended):

MaxPatrol always includes CVE IDs of found vulnerabilities into its report documents if applicable. CVE ID is always shown right beneath the title (which specifies type) of a vulnerability found and its Positive Research ID and is hyperlinked to the relevant page at cve.mitre.org. The same hyperlink is also provided in the section "Links" of vulnerability description. See below for an example of such an output.

Electronic Document Element to CVE Name Mapping

Graphical User Interface (GUI)

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CVE name(s) (required):

There is no ability in MaxPatrol to browse the entire vulnerability database. Instead of that, security elements along with their respective CVE IDs, are displayed in reports when found during scanning process. When a report is generated, user can search security elements by their respective CVE names with standard searching functions. It is also possible to specify CVE names when generating report to include only respective security elements. Instructions how to do that are given in the answer to question <CR_A.2.1>.

It is possible also to inquire MaxPatrol IDs of security elements by looking for their respective CVE names. To do that, proceed with the following actions in MaxPatrol:

Finding Elements Using CVE Names Through the GUI

Finding Elements Using CVE Names Through the GUI

Finding Elements Using CVE Names Through the GUI

  1. Select the "Configuration" tab at the top bar.
  2. Select the "Groups" tab at the left bar.
  3. Go to the right panel and choose "Advanced search" at the top-right.
  4. In the appeared window, choose "CVE" from "Vulnerability identifiers" dropdown menu.
  5. Type the CVE identifier for which you want to get MaxPatrol ID. Press the "OK" button.
  6. When finished, run searching process by pressing "OK" button.
  7. Searching result will appear for the CVE entered. That result contain among other, MaxPatrol ID of security element.

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability’s elements, also describe the format of the mapping (required):

MaxPatrol always shows CVE names of security elements both in GUI and in report files if applicable. See the answers to questions <CR_A.2.2>, <CR_B.3.2>, and <CR_B.3.3>.

GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

MaxPatrol can generate scan report documents in PDF, MHTML and XML formats. Those reports contain, among other, vulnerability information being accompanied with proper CVE IDs and links to their relevant descriptions at MITRE website. PDF format can be searched using a reader or an editor; MHTML can be searched using a browser. In XML the global_id tag with name parameter set to "CVE" is used which can be parsed by means of any XML parser. The following is an example of such a tag: <global_id name="CVE" value="CVE-2009-0758"/>.

GUI Export Electronic Document Format Info

GUI Export Electronic Document Format Info

Questions for Signature

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Sergey V. Gordeychik

Title: Chief Technical Officer

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability’s Repository and the CVE entries our capability identifies."

Name: Sergey V. Gordeychik

Title: Chief Technical Officer

Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Sergey V. Gordeychik

Title: Chief Technical Officer

Page Last Updated or Reviewed: August 10, 2017