​I have a support case open, however if i try an advanced scan policy and select that plugin, it doesnt give any results or any indication that it runs. I then added in the 2 main dependencies and it still failed. Tenable support advised

i would have to go thru and turn on every single dependency and it may run. ..then they suggested that I run a basic scan, which i did and it also didnt run. can you give any insight on making this run while I wait for tenable support to review our log files?>

Are you running this scan in Tenable.io, Tenable.sc, or Nessus? We have options to audit the execution of a plugin.

The audit trail can show you precisely why a plugin didn't run. Usually a plugin won't fire if it thinks the target isn't valid for the scan for some reason. You can find instructions on that here: https://community.tenable.com/s/article/How-to-enable-Audit-Trail-on-Nessus

Hi Ryan,

You state "Tenable does not recommend running this plugin alongside any other plugins in a scan, as it is intended for single-target Domain Controller scans."

When configuring a scan, would I only enable 140657? Or would I need to enable all Windows plugins? Or just dependency plugins?

Thanks,

I am having success in Security Center using the "Quick Credential Debug" scan and adding plugin 140657 to the policy of that scan.

The plugin first appeared to be very accurate, only firing on unpatched assets. After the windows patch was applied I noticed remediation could only happen if I ran the "remediation scan" from they analysis tool. This was cumbersome but sufficient to track the patch status.

Now that we are down to only a few assets, I can run the QCD + 140657 to detect the vuln. I then use the "remediation scan" in the analysis tool and each of the detected vulns is remediated.

The problem I have now is for these last assets, 140657 fires every night and the next day I can "remediate" the vulns with a "remediation scan". This has happened every night this week.

1) Why are the plugins firing every night and then can also be remediated every day with a "remediation scan"?

2) Why is remediation for 140657 only detected when using a "remediation scan" and not during the "QCD + 140657" scan?

This isn't intended behavior for sure. The remediation scan exists to let users move a particular vulnerability to 'mitigated' without running a whole scan.

Please open up a support case at support.tenable.com and send this info to our support team. They'll want to grab some debug info from the scan to see why SecurityCenter isn't moving the vulnerability to mitigated.

Support will also need to know if these assets been patched. If they have, then the scan shouldn't be flagging those assets as vulnerable. If not, then that makes me think the remediation scan is failing to get a positive hit and incorrectly tagging a target as mitigated.

For some quick direct answers to your two questions

1. If the scan is flagging a target as vulnerable, then the plugins were able to get a successful session through a real exploit attempt. If the remediation scan is marking a target as mitigated, then something about the nature of that scan is failing to exploit the target.
2. That's not intended behavior. If regular scans are not showing a target as vulnerable, but also then not moving a vulnerability in your repository to mitigated, then SecurityCenter is mishandling the data it's getting back from your scanners for this plugin specifically.

Was a ticket created for this issue? We are having the same problem with this vulnerability not mitigating. Is there an ETA?