Life cycle of an exception

An exception is a request to defer the remediation of a VI or VG for a specified period. For example, as a remediation owner, you can request an exception if a patch is not available for a machine.

As the remediation owner, you can ask for an exemption for a VI or VG using the exception management process. After the exception approver approves this request, the VI or VG moves to a Deferred state.

VIs or VGs that cannot be remediated immediately are reviewed by vulnerability analysts, assessed for risk, and approved for deferral until they can be remediated. Approving an exception request can be a two-level workflow. If only the first-level approver is present, the exception can be requested and approved. However, if there's no first-level approver, an exception can't be requested. See Add an exception approver for more information.

After raising the exception, you can track its status by using the State Change Approvals tab of the VI or VG. If an action is taken on a VG, you can't track the status of the individual VIs in that VG.

When an exception request for a particular VI or VG expires, the impacted VI or VG reverts to the Open state.

Exception management approval process

If a single VI or all the VIs in a VG pass in the next scan, then the VIs and, where applicable, the VG State field changes to Closed with the substate Fixed.