What Do I Do If an Alarm Still Exists After I Fixed a Vulnerability?

Vulnerability Cause

After the vulnerability is fixed, it will still be displayed on the console. You can check vulnerability statuses on the Vulnerabilities page. The status may be Fixed or Failed.

Possible Causes and Solutions on a Windows Server

• The patch package failed to be downloaded.

  Your server may not have the permission to access the Internet. In this case, connect to the Internet and fix the vulnerability again.

• The patch package does not match your OS.

  In this case, select the vulnerability and click Ignore on the Vulnerabilities page.

• Another patch is being installed.

  In this case, wait until the current patch is installed, and then fix the vulnerability.

• Server settings hinder vulnerability fix or alarm clearance.
  • If automatic patch update is enabled on the server, and you have confirmed that a patch has been installed to fix the vulnerability, you can ignore the vulnerability on the console.
  • If the latest patch has overwritten old patches (in Windows Server 2016 and later), and you have confirmed that a patch has been installed to fix the vulnerability, you can ignore the vulnerability on the console.
  • If a piece of security software (such as the Server Edition of 360 Guard) blocks the vulnerability patch, stop the software, fix the vulnerability, and then start the software again.
    

    • Microsoft has stopped updating and maintaining Windows Server 2008 R2 since January 14, 2020. To continue to use the system, you need to purchase Extended Security Update (ESU) keys and activate or replace the Windows OS.

Possible Causes and Solutions on a Linux Server

• No yum sources have been configured.

  In this case, configure a yum source suitable for your Linux OS, and fix the vulnerability again.

• The yum source does not have the latest upgrade package of the corresponding software.

  Switch to the yum source having the required package and fix the vulnerability again.

• The intranet environment cannot connect to Internet.

  Servers need to access the Internet and use external yum sources to fix vulnerabilities. If your servers cannot access the Internet, or the external image sources cannot provide stable services, you can use the image source provided by Huawei Cloud.

• The old kernel version remains.

  Old kernel versions often remain in servers after upgrade. You can run the verification commands to check whether the current kernel version meets the vulnerability fix requirements. If it does, ignore the vulnerability on the Linux Vulnerabilities tab of the Vulnerabilities page. You are not advised to delete the old kernel.

  Table 1 Verification commands

  OS	Verification Command
  CentOS/Fedora /Euler/Redhat/Oracle	rpm -qa | grep Software_name
  Debian/Ubuntu	dpkg -l | grep Software_name
  Gentoo	emerge --search Software_name

Follow-up Operations

After the vulnerability is fixed, you are advised to perform a manual detection to verify the result. For details, see How Do I Scan My Servers?

• HSS performs a full check every early morning. If you do not perform a manual verification, you can view the system check result on the next day after you fix the vulnerability.
• Restart the system after you fixed a Windows OS or Linux kernel vulnerability, or HSS will probably continue to warn you of this vulnerability.