I am little confused about "Purge old host data when OS is changed" and I dont seem to find the answer I am looking for. I understand that enabling this option in my option profile will delete the old host information but the Host ID will remain the same for the new target. However, what I cant find is when the data of the old target is purged along with the tickets associated with it, does it purge:
a) Just data for host based vulnerabilities for the target OR
b) Just data for scan based vulnerabilities for the target OR
c) both a) and b)
We have in our environment enabled "Auto delete stored data" to store for 13months to preserve scan based data for a year. Wanted to know if the data from this area is deleted or not if "Purge old host data when OS is changed" is enabled.
So basically does Enabling this:
Does it override the following setting:
It is my understanding that the "Purge host data when OS changes" will not delete the actual scan data. The action that is triggered when an OS change is detected is the same as you going into Asset Search, selecting a host, and clicking Purge. The scan data would remain, but it would no longer be associated with the host itself.
I will say that this feature is very useful in a dynamic IP environment where an IP can be a workstation one day, and a printer the next. Without this enabled you can end up with Flash vulnerabilities on your printer that never go away until you purge. That said, it doesn't fire 100% of the time. We do occasionally find really old vulnerabilities on IPs that are actively being scanned because the OS changed but the purge function did not execute. We identify these situations by looking for last detected dates that are much older than the last scan date for an IP.