3 Replies Latest reply on Jan 20, 2015 8:46 AM by JoeDrwiega

    Patch Detection Quality Control

    georged Apprentice

      I'd love to understand how landesk puts together the detection on landesk patches.

      We are seeing many inaccurate detections that are being caught by our nessus scanner

      i believe these should have changed for everyone as it was refreshed after a new download.

       

       

      ------------- This is the info i sent to support to have them change a few detections.

       

      From my Server 2012 x64 bit machines, this seems to be missing:

       

      http://support.microsoft.com/kb/2973501

       

      Nessus Results:

      - C:\Windows\system32\mstscax.dll has not been patched

          Remote version : 6.2.9200.16794

          Should be      : 6.2.9200.17048

       

        Missing KBs :

          2973501

       

      I don’t see any pre-reqs for KB2973501 and I don’t see it applied to numerous machines. Why the pre-req check?

      Scan log:

       

      Current Definition ID: 2973501_MSU

      Checking vulnerability 2973501_MSU, rule index 0 ('Windows8-RT-KB2973501-x64.MSU')

      Running detection script

      The prerequisite doesn't meet(KB2871997,KB2973351), exit the Scan process.

      Vul 2973501_MSU, patch index 0  -----------------------  took 4447 ms

      VUL: '2973501_MSU' (windows8-rt-kb2973501-x64.msu) not detected.  File/OS version(s) verified

       

       

       

       

      From my 2008 R2 machines x64 bit, this seems to be missing:

      Nessus Results:

      - C:\Windows\system32\mstscax.dll has not been patched

          Remote version : 6.2.9200.16398

          Should be      : 6.2.9200.17053

       

        Missing KBs :

          2984976

       

      http://support.microsoft.com/kb/2984976

      http://support.microsoft.com/kb/2984972

      http://support.microsoft.com/kb/2592687

      http://support.microsoft.com/kb/2574819

       

      2984976 -> Pre-req (2984972, 2592687 ( pre-req (2574819) )  -- From the KBs

       

      Where are the additional pre-reqs coming from?

       

      Scan Log:

       

      Current Definition ID: 2984976_MSU

      Checking vulnerability 2984976_MSU, rule index 0 ('Windows6.1-KB2984976-x64.Msu')

      Running detection script

      The prerequisite doesn't meet(KB2871997,KB2973351,KB2984972,KB2574819,KB2592687), exit the Scan process.

      Vul 2984976_MSU, patch index 0 ----------------------- took 24625 ms

      VUL: '2984976_MSU' (windows6.1-kb2984976-x64.msu) not detected. File/OS version(s) verified

      Patch is NOT installed

      Checking vulnerability 2984976_MSU, rule index 1 ('Windows6.1-KB2984976-x86.msU')

      No affected platforms were found.

       

      ---

      Support fixed the patch (assumption: i'm still applying it) for 2012 servers, but 2008 R2 is still incorrect.

      Then another look turned out the sub patch had a patch detection error.

       

      My next email ----

      The 2008 R2 still don’t pick up.  It looks like I’m missing 2984972

      2984976 -> Pre-req (2984972, 2592687 ( pre-req (2574819) )  -- From the KBs

       

      http://support.microsoft.com/kb/2984972

       

       

      According to your script for that patch 2984972_MSU:

       

      if not(KB2871997 and KB2973351) then

         log "The prerequisite doesn't meet(KB2871997,KB2973351), exit the Scan process."

         Exit Sub

       

       

      Why, the KB doesn’t mention any pre-reqs.

       

      ---

      waiting to hear back on this one now.

        • 1. Re: Patch Detection Quality Control
          JoeDrwiega SupportEmployee

          Well while I agree on some of the detection that LANDesk does is a little overkill and might need some tweaking, I dont always agree with the Nessus scans. They base alot just on a dll change and something their "solution" to be compliant is the wrong KB or update. Just sayin.

          • 2. Re: Patch Detection Quality Control
            georged Apprentice

            agreed each product checks differently and so your results vary and each have their own pluses and minuses.

             

            Nessus seems to check the files and care less about actually "installation". I see them looking at more file version numbers listed in the KB than registry keys indicating something is installed.

            They haven't been far off on most of the results. They also alerted us to situations where we removed a legacy installation and files were still remaining (and potentially loaded as it was under the windows folder).

             

            FYI, i do NOT work for nessus. Just seems to be a solid way to verify the environment. With the landesk agent we rely on the deployment and the agent reporting in. I like to have something agentless that scans all the endpoints as well.

            • 3. Re: Patch Detection Quality Control
              JoeDrwiega SupportEmployee

              Well that is all true just frustrating when a third party loads an MS file and Nessus says it needs a patch that won't install but nice to know the dll so a manual patch or package can be created just takes some investigation when it get the false patch needed.

               

              Also, LANDesk bought Shavlik so there is your agentless patch scans for endpoints, they just need to integrate it into LDMS for patching.