Deviation file with no content, no deviations shown

General support questions for the Secutor Prime product.
tegist
Contributor
Posts: 14
Joined: Thu Jul 22, 2010 1:20 pm

Deviation file with no content, no deviations shown

Postby tegist » Mon Feb 14, 2011 6:33 pm

I'm using the 32-bit Secutor Prime Pro build 3032 to test Windows Server 2008 R2, using SCAP files generated from Microsoft Security Compliance Manager. I use the 64-bit tests in Securot. I create a Deviations file using the process described in the help file:
1. Open Deviations Manager.
2. Enter all the information, including browsing to the directory location where I'd like to store the file.
3. Use the "Profile Now" button and enter appropriate text on the findings to which I wish to apply a deviation.
4. Click on "Apply" or "Skip", as appropriate.
This didn't seem to make any difference in how Secutor ran. The same findings show up, whether or not I applied a deviation.
I clicked on the "Show Details" button in "Deviations Manager" and got the following text:
"Potential Deviatiosn (0)
This Deviation Profile may have been produced with a legacy version of Secutor Prime. Pleas perform an assessment to add the mark-up required for this report."
Running an assessment and then going to "Show Details" gives the same results. Clicking on the "Change" button in the "Deviations" frame and repeating the process does nothing, either.
The deviations file contains only the following:
<xml>
<threatguard_deviations>
<Copyright>
<generator>
<product_name>Secutor Prime</product_name>
<timestamp>2011-02-14T03:50:18</timestamp>
<library_version>100826, 3.2.2.26a</library_version>
</generator>
<deviations>
<profile>
</deviations>
</threatguard_deviations>

Help?
Tom Gist

tegist
Contributor
Posts: 14
Joined: Thu Jul 22, 2010 1:20 pm

More information

Postby tegist » Tue Feb 15, 2011 2:46 pm

After more searching in the help files, I discovered that I could also add deviations by right-clicking on each failed item and selecting "Add Deviation". I got exactly the same dialog box, but this time it worked. Deviation added, shows up in deviation file and details report, and so forth.

So, now my question is: Is this difference between Deviation Manager intentional? If so, it needs to be documented much better, especially since it's counter-intuitive. If it's not intentional, then we need to fix the bug.
Tom

robert.hollis
SME
Posts: 24
Joined: Wed Mar 07, 2007 12:32 pm

Postby robert.hollis » Tue Feb 15, 2011 5:35 pm

Hi Tom,

Thanks a bundle for your input. Older versions of the Deviation Manager (much older, like before August 2008), the Deviation file did not contain the driving XCCDF Rule that drove the deviation. This is not needed for functionality, but was extremely helpful to the end user in reporting.

The message you received occurs when a pre-Aug08 Deviation Profile XML file is used with post-Aug08 software. In such an instance, the software will attempt to retrofit the Rule tags into the existing XML file as a self-correction measure in the field.

If that self-correction is unsuccessful, we would recommend redoing the Deviation Profile with the new software. Starting from scratch and using the version of Prime that you're using, we were able to create deviations successfully using both methods on Server 2008 R2.

We will continue testing to see if we can create a scenario where the deviations are not created.

Thanks again for your input, Tom! We're glad is it's working for you now. Both methods should work for you from here.

-rob

tegist
Contributor
Posts: 14
Joined: Thu Jul 22, 2010 1:20 pm

Postby tegist » Tue Feb 15, 2011 6:38 pm

Robert,
Unfortunately, that explanation doesn't quite work. I had no deviation files until I opened up Deviations Manager with Secutor Prime Pro build 3032 and tried to create one.

Have you tried to this with SCAP files generated by Microsoft's Security Compliance Manager? That's where mine came from. I don't know if that makes a difference.

Tom

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Tue Feb 15, 2011 11:03 pm

Have you tried to this with SCAP files generated by Microsoft's Security Compliance Manager? That's where mine came from. I don't know if that makes a difference.


Yes we have, also using the same build of Secutor Prime that you are trying this with, and have been able to do so with no issues. That was done by us, however, who are very familiar with how the Deviation Profiler is set up to work, which isn't necessarily intuitive.

There are, in fact, some behavioral glitches in the Deviation Profiler in that build that we have been working on for the new version. Luckily, version 4 of Secutor Prime is nearly ready for release -- in all likelihood it will be make live late on Wednesday the 16th of February. Tomorrow.

If you can wait another day or two, give it a try with the new version. If it still acts all wonky on you we'll figure out what is different about your setup and work up a fix for it.


Return to “Secutor Prime Support”

Who is online

Users browsing this forum: No registered users and 6 guests