The only suggestion I can make is to read the MS bulletin related to the (supposedly) missing patch to see if you can determine which result is correct. Based strictly on version numbers it appears that your file may in fact be vulnerable. Why the other three tools don't see it that way is beyond me. Do they also check version numbers? Or are they just checking a registry key that shows the KB# having been installed? Note: I'm not saying Nessus is right and the others are wrong. In my experience I've found all the tools to be inconsistent with each other when it comes to this issue.
You have stumbled into one of my big headaches. I like to be able to tell my clients specifically what they need to do to correct the problem, but its not that straight forward. They use Windows Update (which tells them they are fully patched) and aren't technical enough to dig into the KB articles, file versions, etc. So is it really fair to tell them they aren't compliant when the company that makes the OS is telling them otherwise? My personal opinion, and I applaud you for digging into this issue, is that you are on the right path and as long as you can explain what you are doing in an effort to be compliant with patch managment, the auditor/regulator/etc can't be too harsh. You are doing far more than most when it comes to trying to be compliant. And if you just install the (supposedly) missing patch (as someone else recommended), you may actually reintroduce other files that are "older" than the current version and will therefore be (supposedly) missing patches for those files as well. I really wish MS patch management was more straightforward, but as you found out it is not. Not sure if I gave you any advice that helps or if my comments really belong on the Nessus mailing list. Steve On Wed, Sep 3, 2008 at 12:11 PM, Lad, Amit <[EMAIL PROTECTED]> wrote: > Any ideas? Anyone? > > > > Amit Lad > Information Security Engineer > ————————————————————————— > Ciena Corporation | Office 410.694.5998 | [EMAIL > PROTECTED]<http://www.ciena.com/> > > > > > > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *Lad, Amit > *Sent:* Wednesday, August 27, 2008 12:09 PM > *To:* [email protected] > *Subject:* Nessus Accuracy: 3 against 1? > > > > Hello All, > > > > I had a question in regards to the validity of the level of > reporting from running a scan using Nessus. We run daily scans against our > Windows Servers for missing critical and important Windows patches. We have > come across some discrepancy between our WSUS server which deploys the > patches and also has reporting and status of systems patch level. So after > digging deeper and deeper trying to find where the miscommunication was I > ran across what I think are consistent false positives. Out of 400 servers, > WSUS says 72 systems are not fully patched. According to our Nessus scans, > we have 191 non-compliant servers. Which then starts the discussion why are > the numbers so different. So I started with a common update which Nessus > says is missing on a good amount of servers, MS06-025. The latest patch > release for that update was for June 2006. > > > > According to Nessus: > > > > - C:\WINDOWS\system32\Rasmans.dll has not been patched > Remote version : 5.2.3790.2697 > Should be : 5.2.3790.2731 > > > > According to WSUS, the patch is not required. When I check the version of > the file on the server, it is indeed the old version. According to the > Microsoft Bulletin Release notes on Microsoft's website, the latest version > is indeed 5.2.3790.2731, with a June 2006 file date. > > > > At this point I was totally confused, because it looks like Nessus > technically is correct. So then I run 2 other tools (GFI Languard and > Shavlik NetChk) against the same server and they both tell me the server > does not require that patch. So now I have a 3 against 1 situations, but in > all aspects looking at just the file version, which shows the updated > version should tell me the real truth. > > > > Any ideas how to better resolve these discrepancies? We are in a > situation that we need to ramp up our patching efforts to get in compliance > and don't want to be hammered by other folks saying that our results are > false. > > > > Thanks. > > Amit Lad > Information Security Engineer > ————————————————————————— > Ciena Corporation | Office 410.694.5998 | [EMAIL > PROTECTED]<http://www.ciena.com/> > > > > > > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus >
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
