NeXpose Release November 17, 2011

Document created by mburstein Employee on Nov 17, 2011Last modified by mburstein Employee on Dec 9, 2011
Version 2Show Document
  • View in full screen mode

Rapid72011-11-17 product and content updates
                  Release announcement


This Rapid7® Nexpose® 5.0 release features dynamic virtual asset tracking, expanded risk and exposure assessment, configuration policy scanning, and an improved look and feel.


These release notes document what's new in this Nexpose release. Your Nexpose installation will automatically download and install content updates. If you have enabled Nexpose to install product updates, it will do so as well. See the third FAQ.

As with any major product release, remember to clear your browser cache after applying this update!

New asset discovery method enhances visibility into virtualized environments

With the new vAsset discovery feature, you can discover virtual machines by communicating directly with VMware vCenter or ESX(i) hosts.  This allows you to discover assets quickly without running a network-based discovery scan. You can filter your virtual machine discovery results  by metadata that is retrieved from the VMware connection.


After you have performed a vAsset discovery, you can easily create a dynamic site that  is always kept up to date with changes to your virtual environment. Real-time notifications of changes in your discovery environment ensure that  dynamic sites are updated appropriately and virtual assets are not excluded from scans.


At any time, you can view statistics about your virtualized  environment and monitor events that are relevant to scanning, such as virtual machines being powered on or off, new virtual machines coming online,  or virtual machines changing hosts.


NOTE: This feature is only available in Nexpose Enterprise Edition and Nexpose Consultant Edition.  To upgrade to one of these editions, please contact Rapid7.

Malware Exposure expands threat awareness

In addition to Exploit Exposure, the product now allows you to track Malware Exposure by leveraging new security research data to map vulnerabilities  to widely used malware/exploit kits. In the Vulnerability Listing table, you can sort for vulnerabilities that can be exploited by known exploit kits.


For each vulnerability that is exploitable by malware, you can view the specific kits known to deploy code that can exploit the vulnerability. Furthermore,  Malware Exposure is metadata that can be used in risk strategies that assess the risk associated with detected vulnerabilities. This gives you a significant  boost in proactively identifying the vulnerabilities that represent the greatest risk, and prioritizing your remediation for optimal productivity and improvement  of your security posture.

Expanded risk analytics provide greater insight into threats

A number of powerful new features give you greater insight into risk in your environment.

  • The new Real Risk strategy for calculating risk scores incorporates awareness of vulnerabilities' current exploitability and exposure to exploit kits  (used to build and distribute malware) to help you better assess which vulnerabilities pose the greatest threat to your assets. New installations will use this  strategy by default. For existing installations, administrators can update Global Settings to use the new risk strategy.
  • The new TemporalPlus strategy for calculating risk scores emphasizes the length of time that a vulnerability has been known to exist. It is similar to the existing  Temporal risk strategy, but it uses the newly available gamma function (see the following bullet) to provide a more granular analysis of vulnerability impact by expanding  the risk contribution of partial impact vectors.
  • The library of operations available for creating risk strategies has been expanded to include the subtract operator and the gamma function. The latter can be used as  a substitute for the existing factorial function for evaluating arguments that are not whole numbers.
  • Calculations for all risk strategies have been updated to help you better assess risk for correlated assets. You may notice a modest change  in some risk scores.
  • Risk score calculation is now based only on data from assets with completed scan status. If a scan pauses or stops, results from assets that do not have completed scan status  are not used for calculating risk scores. The calculation uses results for those assets from the most recent completed scans. Due to this improvement, you may see a change in risk scores for certain sites, asset groups, or assets.  To determine the scan status of an asset, consult the scan log. See the administrator's guide for more information.
  • Risk scores displayed in the Web interface and reports have been formatted for improved readability.

Risk trend reporting helps you track risk over time

With new risk trends, you can display graphs that demonstrate how risk changes over time for all assets in the scope of your reports. You can also display trends that  highlight how risk has changed for the top five high-risk sites, asset groups, or individual assets. The trends can be configured as advanced properties of your reports  and are available in reports that use the Executive Summary template or the new Risk Trend section.

After this update is applied, the risk history from the past year will automatically be calculated based on existing scan data. You can easily recalculate earlier risk history.  See the section on working with risk strategies in the administrator's guide.

Please be aware of the following issues related to this update:

  • On the day that you apply the update, you may see inconsistencies between risk scores in the Web interface and in risk trend reports.  The daily risk score recalculation will automatically correct this issue after midnight following the update.
  • Risk trend reports that are run shortly after midnight will not show graphs for highest-risk sites, highest-risk asset groups, or highest-risk assets  because of the daily risk score recalculation on which these graphs depend. To mitigate this issue, run or schedule reports at 1 a.m. or later.


Advanced Policy Engine verifies configuration compliance

You can now verify compliance with policies using the new Advanced Policy Engine. This fully integrated, next-generation compliance scanning framework allows you to scan for different  types of policies and perform vulnerability checks at the same time.


In the new Advanced Policy Results table, you can view each tested asset's overall compliance on a per-policy basis. You can drill down into a specific policy to determine whether the  asset passes or fails for each rule that makes up the policy. You can also view specific information on why a particular rule returned a given result. A permissions-based override  workflow allows you to change results.


Each rule is listed with its Common Configuration Enumeration (CCE).  Using CCEs, you can easily identify configuration issues for specific platforms. CCEs are searchable in the Web  interface. As with other Security Content Automation Protocol (SCAP) data in the product, new CCEs are downloaded and applied automatically with every content update.


NOTE: This feature is only available in Nexpose Enterprise Edition and Nexpose Consultant Edition.  To upgrade to one of these editions, please contact Rapid7.

FDCC scanning helps you keep current with government standards

With the new, fully integrated FDCC scan template, you can scan your Windows assets to verify compliance with Federal Desktop Core Configuration (FDCC) policies. Informed by the results  of policy scans, you can make any necessary configuration changes to ensure that your Windows assets comply with FDCC standards.


To help you further to comply with U.S. government requirements, this feature also allows you to generate SCAP Result Files and output their content in a machine-readable format for  submission to the Office of Management and Budget.


NOTE: The FDCC scan template is sold as a separately licensable option and requires the Advanced Policy Engine to be enabled. To discuss pricing and upgrade options, please contact Rapid7.

Better look and feel improves usability and user experience

The Web interface now features a cleaner, more accessible look and feel for better overall usability.  A multitude of improvements include better organization of features and workflows,  reduced visual clutter, and more helpful instructive text and labels.


You will notice some changes in the appearance and behavior of the Web interface, such as the following:

  • For better security, the auto-complete mechanism in the main logon form has been disabled. You will no longer be able to save passwords for this form in your browser.
  • Some buttons and controls now appear in different locations.
  • An advisory icon that appears in the upper-left corner of the Web interface notifies you of issues that may require your attention, such as an expired license or inactive vAsset discovery  connections.

Another usability improvement makes the Vulnerability Check Categories and Vulnerability Check Types panes in the Scan Template Configuration panel available to non-administrative users.  These controls conveniently allow you to select or remove entire vulnerability categories or types when configuring checks in scan templates.


Product update

  •   Linux 32 | Update ID: 1594097670
  •   Linux 64 | Update ID: 2112710348
  •   Windows 32 | Update ID: 1380848824
  •   Windows 64 | Update ID: 2821447697

Content update

  • Update ID: 939442873


   Released on November 17, 2011 (see fourth FAQ).                              

md5sum files

Download the appropriate md5sum file to ensure that the installer was not corrupted during download:                                  

Frequently asked questions (FAQs)

  • How will I know Nexpose has updated with this specific release?
    All updates are listed on the News page of the Nexpose Security Console Web interface.
  • Why doesn’t the most recent date on the News page match the dates of the current updates on the Administration page?
    You may occasionally notice that the most recent date on the News page does not match the dates of the current updates listed on the Nexpose Security Console administration page. The dates on the News page are official release dates. The dates on the console page indicate when updates were actually applied to your Nexpose installation.
  • What are content updates, and what are product updates?
    Content updates include new checks for vulnerabilities, patch verification, and compliance with security policies. Product updates include performance improvements, bug fixes, and new features in Nexpose.
  • Why are installers not updated with every release?
    To help you stay on top of an ever-growing number of security threats, Rapid7 makes the delivery of new security content timely and convenient.  After installation and first-time start-up, Nexpose continues to update itself dynamically. This makes it unnecessary for Rapid7 to update installers  with every release of security content. So, you don't have to download installers every time new content is available.
  • Does this dynamic self-updating cause Nexpose to restart?
    Yes. You may notice Nexpose taking longer to start for the first time after installation. You may also notice it restarting more than once as it completes a required sequence of updates.
  • How can I obtain more information about this release?
    If you have purchased Nexpose, contact our Technical Support Team at If you are using the Community version of Nexpose, go to
  • Where can I find announcements for other releases?
    You can find all release announcements in the Rapid7 Community at nts.
Join the Rapid7 Community!
Learn tips and tricks, engage with your peers,
and keep up with the latest product developments.