Exam SY0-601 topic 1 question 334 discussion

Given that the vulnerability used to exploit the server is present in historical vulnerability scan reports and a patch is available, it suggests that the vulnerability has been known and detectable in the past. Therefore, it is more likely that the latest scan report produced a false negative and failed to identify the vulnerability. While it is possible for an adversary to tamper with vulnerability scan reports, it is less likely in this case since the vulnerability is present in historical scan reports. The scenario indicates that the vulnerability was known prior to the incident.

I think B, because the vulnerability is present in historical scan reports. That would seem to me to mean that it is missing only from the latest one. Thus, it had to be removed by an adversary.

For an adversary to alter the vulnerability scan reports, he would need access to : #1 Compromised Scanning Tool, #2 Access to Report Storage, #3 Man-in-the-Middle Attack Trust me, patch manipulation would be the least of your problems. The answer is D

https://www.codecademy.com/article/vulnerability-scans#:~:text=A%20false%20negative%20is% Choice D fits this scenario BEST. I am not going to assume that there is a version incompatibility because there is no mention of it, so A is out. B is also out because there is no mention of any clue that leads to altered scan reports. Zero Day attack is NO. The information given in the scenario all points to this vulnerability scan report that revealed no findings but there was an incident before where it was documented and there is a patch for problem already. A false negative is when the scanner says there isn’t a vulnerability, but there actually is. This means that even if a scan says it found 0 vulnerabilities, that doesn’t mean there are no vulnerabilities present.

I think this is also one of the questions with several correct answers with different grades, It could be A, B or C. The puzzle for me is, which of the options is most accurate?

Vulnerability has always been present but not patched hence, it was exploited. So what failed? Either the issue with compatibility is true or an adversary altered the vuln scan report. The lattr is more likely because unlike previous scans, we suddenly no longer see that vulnerability reported,

A. Security patches failed to install due to a version incompatibility. Explanation: The historical vulnerability scan reports indicated the presence of the vulnerability, and a patch was available. This suggests that the vulnerability was known and documented, and there was an opportunity to address it. The latest scan report showed no concerning findings, indicating that either the vulnerability was not detected in the latest scan or that the system was believed to be patched. Given that the patch was available but the vulnerability still existed on the server, it is plausible that the security patches failed to install correctly due to a version incompatibility or some other issue during the patching process.

The question is about the cause of the incident: if the vulnerability has been revealed it cannot be 0 day, nor false negative, nor altered by the adversary.

if the vulnerability exists and is not appearing in the last scan, it is a false negative.... very clear

You could say that the scan didn't pick up the exploit because it is a zero day vulnerability and so there is no signature in its data base. That would explain why there are finding (apart form the already known one in historical vulnerability scan reports), and why there was an incident in the first place. Not a good question in my opinion since all the choices make sense on way or the other.

This is super weird cause this is literally Question 181 with a slight difference in answers. However, the solution to 181 was an employee removed the security patch and option D wasn't even considered a possibility amongst the community ( however it's voted most likely here). CompTIA is the worst.

So from reading the questions it is stating "The vulnerability that was used to exploit the server" which mean there was an incident. That incident "is present in historical vulnerability scan reports, and a patch is available for the vulnerability." The vulnerability that caused this incident is reported in historical scan, but during the current scan " reviewing the latest vulnerability scan report for a web server following an incident. The vulnerability report showed no concerning findings." which means the vulnerability isn't showing up. But the incident did happen so, the vulnerability still exist. I am voting for B because it isn't a false negative from reading this part "The vulnerability that was used to exploit the server" since it is saying it was exploited.

While it is technically possible for an adversary to alter vulnerability scan reports, it is generally considered less likely. Altering vulnerability scan reports would require a high level of sophistication and access to the scanning infrastructure Additionally, the purpose of vulnerability scans is to identify and address security vulnerabilities, so altering the reports would defeat the purpose of the scans False negatives, where a vulnerability is present but not detected by the scan, are more common than intentional alteration of reports. False negatives can occur due to various reasons, such as outdated scan definitions, misconfigurations, or limitations of the scanning tool used It is important for organizations to regularly review and validate the accuracy of vulnerability scan reports to ensure that vulnerabilities are properly identified and addressed.

I'm going with D...

The scan has previously successfully recognized the vulnerability. There was an incident, which I believe is the key to this question. A patch being available has no impact on this question. As there was an incident, something must have been done to alter the scan reports, as nothing else has changed, the scan wouldn't just stop reporting a vulnerability without something else occurring.

ChatGPT states The vulnerability scan did not detect the vulnerability that was used to exploit the server, which resulted in the report showing no concerning findings. D.

I think this is what happened: 1- scans detect the vulnerability, but no patch is available yet. 2- scans do not detect vulnerability (false negative). 3- patch becomes available, but is not applied because the last report indicates no vulnerabilities found (and apparently no one remembers about the previously detected vulnerability) 4- vulnerability is exploited :( If the patch had failed to install, the vulnerability would have been detected in the last scan (so A is not correct).