FAQs | ManageEngine Vulnerability Manager Plus

Frequently Asked Questions

Where do we procure the vulnerability data for different vendors?

Our internal researchers procure vulnerability information for Windows Operating systems and other Microsoft products from Microsoft's official security guidance page, and for different Linux distros from the official security advisories of the respective vendors. For third-party products, we obtain the vulnerability data from NIST and CVE details, and the respective vendors' official security advisory pages.

How do we arrive at the recommendations for security misconfigurations?

Our internal researchers procure information regarding security misconfigurations from recommendations in STIG and CIS, and also from respective vendor websites.

What is the source of the CIS benchmarks that Vulnerability Manager Plus uses for its audits?

All the CIS benchmarks that are used for Vulnerability Manager Plus' audits are arrived at from the official CIS website.

What is the difference between the Enterprise edition and Professional edition?

The Professional edition offers a variety of features which includes vulnerability scanning and assessment, detection of system misconfigurations, security misconfigurations, high-risk software and web server misconfigurations. The Enterprise edition offers all the features of the Professional edition and in addition to that, it offers remediation for all the security flaws from the console. Refer our detailed edition comparison to learn about the different editions in detail.

What is the difference between Vulnerability Manager Plus and Patch Manager Plus?

ManageEngine Vulnerability Manager Plus brings together all the capabilities of vulnerability management under one package- right from assessment of vulnerabilities to patching them, from managing security configurations of network endpoints to hardening internet facing web servers- from a centralized console.
Whereas, ManageEngine Patch Manager Plus is an exclusive tool for automating, customizing and streamlining the entire patching process. Best suited for IT administrators who are looking out for a stand-alone patch management solution. To learn in detail about the feature-wise comparison between the two products, refer this document.

What are the system requirements for the Central server?

Any of the Windows computers in your network with the requirements mentioned here can be hosted as your Central server.

How is Vulnerability Manager Plus licensed?

Vulnerability Manager Plus offers different pricing plan for workstations and servers, and the pricing is also different for Professional and Enterprise edition. For more details on the pricing, refer to our online store.

How to identify servers? Are all Linux machines considered servers?

Currently, if the operating systems meet any of the following criteria, we consider them as server machines:

If the operating systems' name contains the keyword "server"
If the machine with Red Hat Enterprise Linux OS has a Server subscription
If the machine has Oracle Linux OS

We recommend purchasing server licenses for any Linux machine when deploying them as servers within the organization.

How to identify servers from the Vulnerability Manager Plus web console?

Navigate to Agent --> Computers in the console interface. Create a filter for Operating System with tags "server" and "Oracle". The Red Hat Enterprise Linux OS server machines cannot be identified using the web console as its subscription has to be checked.

identify servers

How many servers can be managed with the free edition?

The free edition allows management of any number of servers, as long as the total number of endpoints does not exceed 25.

How do I track the status of High-risk software uninstallation?

You can track the status of high-risk software uninstallation from Deployments> Software uninstallation.

How do I track the status of security configuration deployments?

You can track the status of deployed security configurations from Deployments> Security configurations and re-deploy the failed deployments from here.

Why are patches also displayed under the software vulnerabilities tab?

Under software vulnerabilities, patches are displayed as a resolution to fix a known threat or vulnerability.

How does Vulnerability Manager Plus enumerate vulnerabilities to prioritize response?

Common Vulnerability Scoring System (CVSS v3.0) is used to assess the severity of vulnerabilities based upon the ease of exploit and the approximated potential of impact. Scores range between 1 and 10 with 10 being most severe. Additionally patches can be looked up using their CVE ID

Which platform does the security configuration management feature currently support?

The product currently supports security configuration management only for systems running on Windows OS

How are web servers and their vulnerabilities detected?

We detect web and database server vulnerabilities by scanning listening ports and identifying the application and its version. Vulnerabilities are identified by comparing the detected version to the vulnerability database.For further clarification on vulnerability applicability, please contact the vendor.

NOTE: Web/database servers will be detected only when they are actively running.

How are web server and its vulnerabilities detected for Vulnerability Manager Plus and other ManageEngine products?

For Vulnerability Manager Plus and other Zoho products, we use CVE analysis data from our internal security experts to exclude non-applicable vulnerabilities and display only applicable ones. In the initial days after a CVE is released, vulnerabilities may be detected, but if our analysis determines they are not applicable, they will be removed in subsequent scans after a database sync.

How long will it take for Dynamic CG exclusion to reflect?

Static group exclusion happens immediately, whereas for Dynamic groups, it reflects after the next scan.