This article explains when a host vulnerability assessment identifies a vulnerability as fixed.
Package collection runs multiple times per day but host vulnerability assessments run once per day. The assessment considers the last 24 hours of packages installed on the host. A package must be cleared from the OS for 24 hours for the assessment to display the vulnerability status as fixed.
An assessment identifies vulnerabilities, and you fix the vulnerabilities the next day, but the next assessment does not display the fixes. For example:
Assessment runs at 8PM Pacific Time on Monday.
The assessment identifies packages with a vulnerability status of new, active.
You fix (remove or upgrade) packages on Tuesday (the next day).
The assessment runs at 8PM on Tuesday.
The assessment does not identify that the packages were removed or upgraded. If the assessment identified the packages were removed or upgraded, it would set the vulnerability status to fixed.
The assessment runs at 8PM on Wednesday.
The assessment identifies that the packages were removed or upgraded.
Why doesn’t Tuesday's assessment identify the packages as fixed?
Package collection runs hourly, however, Lacework does not restrict the assessment to the last hour of collected packages. The last day of packages is considered because that is also the assessment interval - daily. The impact is that if the package existed within 24 hours before the assessment, it appears in the assessment.