5 Replies Latest reply on Jul 8, 2016 2:30 PM by dgoniea

    Discrepancy between LANDESK and Nessus security scan

    Apprentice

      Hello everyone,

       

      My company is still pretty new to LANDESK so we are still getting to know how it works and how to use the data out of it. We have recently completed our June patching so we used Nessus to scan the network and check LANDESK's work. The results were good overall, but three patches in Nessus did not match what LANDESK reported at all. See the table below:

      PatchLandesk ResultNessus Result

      MS16-035

      312
      MS16-0540513
      MS16-06513433

       

      I asked my security engineer to export the Nessus detection criteria for the missing patches. This is what he gave me:

      nessus detection.png

       

      Can someone tell me how this differs from what LANDESK is detecting on? Also which one of the two sources do you think is more trustworthy.

       

      Thanks in advance for your help

        • 1. Re: Discrepancy between LANDESK and Nessus security scan
          phoffmann SupportEmployee

          "It depends" - and "you'll need to dig into the results".

           

          And - depending - it's possible that BOTH are "right" from a certain perspective (bear with me - it'll make sense shortly ).

           

          Our detection logic is very open - so you can see how we detect stuff (if it's Windows 10-ish stuff you're scanning, good chance we query whether the OS thinks it's in need of that patch in this case). What / how Nessus scans, I don't know - you'd need to look at their definitions (you can view the detection logic - depending on what it is, we may be querying files / reg-keys / OS API's and so on).

           

          Now - "Complicating Factors' ... (there's a reason why people do this stuff as a full-time job).

           

          You can have a situation where Nessus' logic is accurate (for instance - they're checking specific files) as far as they're concerned. And we might be correct because the OS is reporting as such.

           

          Yes - you *CAN* have legitimate cases where "file logic alone" says "you're vulnerable", while querying the OS returns you're NOT vulnerable - common example is 32-bit files on a 64-bit OS. Yeah, you have "vulnerable" files - but they won't ever get used (as a 64-bit OS won't use 32-bit DLL's for instance).

           

          In addition (for even "more fun") I've had a case recently where we were correct - based on Microsoft's published logic, but the logic was inaccurate ... yet Microsoft weren't willing to change the published logic (lack of ROI) ... so that was "fun" ... and not much we could do about it.

           

          So ... long story short - you'll need to dig into it. Our vulscan-logs are pretty readable, but if you need help, we're here. Can't help you with Nessus logs, sorry (no idea how helpful they are - never seen 'em).

           

          There's always the potential of false positives / negatives on either side - and there's situations where multiple tools can be "correct" in a way, just that it may or may not be relevant (i.e. "yes, you have vulnerable files, but those are 32-bit files that'll never get used" situations for instance).

           

          If you have reason to believe that we've got false negatives here (for instance), you can raise a relevant call with support - but it's very much not as simple a thing as looking at "just" the results in this case.

           

          Hope that helps somewhat to highlight the complexities that this space lives in?

          1 of 1 people found this helpful
          • 2. Re: Discrepancy between LANDESK and Nessus security scan
            phoffmann SupportEmployee

            As a separate point - if you want to see what we're doing to detect something, you can just check the properties of a vulnerability & check its detection rule (those'll vary based on OS - so "Windows 7 x64" has one, while "Windows 7 x32" has a different one).

             

            Most of them are in a pretty human-readable case of "file X must be version Y" type format, while others may make use of scripts (usually VB) and/or talk to OS API's.

             

            I'll include a screenshot of what I'm talking about so you can examine things - in this case, I'm using MS16-035v2_INTL as opposed to MS16-035v2_MSU.

            Patch_Properties_1.jpg

            and then in detail the detection script:

            Patch_Properties_2.jpg

             

             

            NOTE -- you may want to update your Nessus content btw - seems like Microsoft have revved the patch (I can tell based on us having a "MS16-035v2" which is our way of revving a vulnerability). Depending on your scanning numbers, you may have v2 & non-v2 results to check against as well.

            1 of 1 people found this helpful
            • 3. Re: Discrepancy between LANDESK and Nessus security scan
              Apprentice

              Thank you so much for this. This is all very good info.

               

              I took a look at the detection rules in LANDESK and there appear to be some differences in what it is looking for over Nessus.

               

              I'd love to compare both sets of rules to Microsoft's official detection rules but I can't seem to readily find those online. Can you point me at where to look?

              • 4. Re: Discrepancy between LANDESK and Nessus security scan
                phoffmann SupportEmployee

                That's not too difficult to find - just hit up google with "MS16-035" and look for a title like "MS16-035: Description of the security update for the .NET Framework 3.5.1 in Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: March 8, 2016" - that's the kind of article you want.

                 

                There *MAY* be several of those, it depends on Microsoft (they sometimes do "a global one" and then "one for 2008 / one for 2012" and so on).

                 

                Direct link in this case is here:

                - https://support.microsoft.com/en-us/kb/3135983

                 

                Our patch team uses the Microsoft (/insert relevant vendor) articles to generate our content (which is what was so annoying when I ran into the situation that the published information was wrong, but MS was unwilling to fix it, because it'd have to be fixed in many languages & so on) ... and until they fixed it, we wouldn't really be able to fix our stuff to be 100% accurate.

                 

                Fun times.

                1 of 1 people found this helpful
                • 5. Re: Discrepancy between LANDESK and Nessus security scan
                  Apprentice

                  Hey everyone!

                   

                   

                  We figured out the issue that caused the discrepancy in our scan results.

                   

                  There was a prerequisite on the patches were were not scanning for called "Office-Scan." It's a NA definition so our rules dumped it into do not scan. Now that we are scanning for it we are getting plenty of detections for the vulnerabilities in question.

                   

                  I've included a screenshot of the definition in question for any who many need it.

                   

                  office-scan.png