Any ideas? Anyone?
Amit Lad Information Security Engineer ------------------------- Ciena Corporation | Office 410.694.5998 | [EMAIL PROTECTED] <http://www.ciena.com/> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lad, Amit Sent: Wednesday, August 27, 2008 12:09 PM To: [email protected] Subject: Nessus Accuracy: 3 against 1? Hello All, I had a question in regards to the validity of the level of reporting from running a scan using Nessus. We run daily scans against our Windows Servers for missing critical and important Windows patches. We have come across some discrepancy between our WSUS server which deploys the patches and also has reporting and status of systems patch level. So after digging deeper and deeper trying to find where the miscommunication was I ran across what I think are consistent false positives. Out of 400 servers, WSUS says 72 systems are not fully patched. According to our Nessus scans, we have 191 non-compliant servers. Which then starts the discussion why are the numbers so different. So I started with a common update which Nessus says is missing on a good amount of servers, MS06-025. The latest patch release for that update was for June 2006. According to Nessus: - C:\WINDOWS\system32\Rasmans.dll has not been patched Remote version : 5.2.3790.2697 Should be : 5.2.3790.2731 According to WSUS, the patch is not required. When I check the version of the file on the server, it is indeed the old version. According to the Microsoft Bulletin Release notes on Microsoft's website, the latest version is indeed 5.2.3790.2731, with a June 2006 file date. At this point I was totally confused, because it looks like Nessus technically is correct. So then I run 2 other tools (GFI Languard and Shavlik NetChk) against the same server and they both tell me the server does not require that patch. So now I have a 3 against 1 situations, but in all aspects looking at just the file version, which shows the updated version should tell me the real truth. Any ideas how to better resolve these discrepancies? We are in a situation that we need to ramp up our patching efforts to get in compliance and don't want to be hammered by other folks saying that our results are false. Thanks. Amit Lad Information Security Engineer ------------------------- Ciena Corporation | Office 410.694.5998 | [EMAIL PROTECTED] <http://www.ciena.com/>
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
