Hello All,
I had a question in regards to the validity of the level
of reporting from running a scan using Nessus. We run daily scans
against our Windows Servers for missing critical and important Windows
patches. We have come across some discrepancy between our WSUS server
which deploys the patches and also has reporting and status of systems
patch level. So after digging deeper and deeper trying to find where
the miscommunication was I ran across what I think are consistent false
positives. Out of 400 servers, WSUS says 72 systems are not fully
patched. According to our Nessus scans, we have 191 non-compliant
servers. Which then starts the discussion why are the numbers so
different. So I started with a common update which Nessus says is
missing on a good amount of servers, MS06-025. The latest patch release
for that update was for June 2006.
According to Nessus:
- C:\WINDOWS\system32\Rasmans.dll has not been patched
Remote version : 5.2.3790.2697
Should be : 5.2.3790.2731
According to WSUS, the patch is not required. When I check the version
of the file on the server, it is indeed the old version. According to
the Microsoft Bulletin Release notes on Microsoft's website, the latest
version is indeed 5.2.3790.2731, with a June 2006 file date.
At this point I was totally confused, because it looks like Nessus
technically is correct. So then I run 2 other tools (GFI Languard and
Shavlik NetChk) against the same server and they both tell me the server
does not require that patch. So now I have a 3 against 1 situations,
but in all aspects looking at just the file version, which shows the
updated version should tell me the real truth.
Any ideas how to better resolve these discrepancies? We are in a
situation that we need to ramp up our patching efforts to get in
compliance and don't want to be hammered by other folks saying that our
results are false.
Thanks.
Amit Lad
Information Security Engineer
-------------------------
Ciena Corporation | Office 410.694.5998 | alad@ciena.com
<http://www.ciena.com/>
I had a question in regards to the validity of the level
of reporting from running a scan using Nessus. We run daily scans
against our Windows Servers for missing critical and important Windows
patches. We have come across some discrepancy between our WSUS server
which deploys the patches and also has reporting and status of systems
patch level. So after digging deeper and deeper trying to find where
the miscommunication was I ran across what I think are consistent false
positives. Out of 400 servers, WSUS says 72 systems are not fully
patched. According to our Nessus scans, we have 191 non-compliant
servers. Which then starts the discussion why are the numbers so
different. So I started with a common update which Nessus says is
missing on a good amount of servers, MS06-025. The latest patch release
for that update was for June 2006.
According to Nessus:
- C:\WINDOWS\system32\Rasmans.dll has not been patched
Remote version : 5.2.3790.2697
Should be : 5.2.3790.2731
According to WSUS, the patch is not required. When I check the version
of the file on the server, it is indeed the old version. According to
the Microsoft Bulletin Release notes on Microsoft's website, the latest
version is indeed 5.2.3790.2731, with a June 2006 file date.
At this point I was totally confused, because it looks like Nessus
technically is correct. So then I run 2 other tools (GFI Languard and
Shavlik NetChk) against the same server and they both tell me the server
does not require that patch. So now I have a 3 against 1 situations,
but in all aspects looking at just the file version, which shows the
updated version should tell me the real truth.
Any ideas how to better resolve these discrepancies? We are in a
situation that we need to ramp up our patching efforts to get in
compliance and don't want to be hammered by other folks saying that our
results are false.
Thanks.
Amit Lad
Information Security Engineer
-------------------------
Ciena Corporation | Office 410.694.5998 | alad@ciena.com
<http://www.ciena.com/>