Can someone provide some information regarding the creation of a dynamic list with the "No Patch Solution" setting enabled? If I was to create a policy for ticket remediation with the below setting what are some of the implications that I would be facing?
We are trying to tune the Qualys VM remediation flows and would like to create some additional policies. A good example are QID's that have been added in Qualys for which the Vendor (Microsoft, CISCO etc) have not released a patch yet. Since the Vendor has not released a patch the logic is that our remediation team cannot work on this and that the ticket will be assigned and will start to age because no one can work on it. So I've been asked to come up with a policy for the ticket workflow where these "No patch" vulnerabilities are auto-closed after a scheduled scan.
Is this a good practice to follow?
Is there a better way to handle this?
What are the implications if I do this?
Will we miss something? Meaning do these "No patch solution" have any other type of solution?
Feedback would be appreciated.