It wouldn't be hard to write a plugin to check for a pending reboot or file rename operation. According to this: http://blogs.msdn.com/hansr/archive/2006/02/17/PatchReboot.aspx, there are three areas of the registry to check.
From: Bazy <b...@goofy.celuloza.ro> To: nessus@list.nessus.org Date: 01/10/2009 08:24 AM Subject: Re: Checking if Windows was restarted after update Sent by: nessus-boun...@list.nessus.org On Fri, 09 Jan 2009 09:15:02 -0500 Ron Gula <rg...@tenablesecurity.com> wrote: > Bazy wrote: > > Hello! > > > > We use WSUS in our company for updates, but not everyone restart's his workstation for days. So in some cases the computer is still vulnerable if not restarted. How would be the best practice to check this? I'm using Nessus for about 3 months, read the book but have little experience. > > > > We try to make every effort to test the live system. For example, we > occasionally get false positive reports from customers who say that > a machine is patched, yet Nessus is showing the machine to still be > vulnerable because the machine STILL IS vulnerable, and requires a > reboot. > > Are you asking to be able to scan for a machine that is in the state > of needed to be rebooted? > > Ron Gula > Tenable Network Security > Yes Ron, that is exactly what I'm asking. It's a confusing situation because in WSUS we see the machine as updated, Nessus reports it as vulnerable, it can be exploited, and we as a Security Team open a ticket for IT to patch the machine, witch just needs a reboot. _______________________________________________ Nessus mailing list Nessus@list.nessus.org http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list Nessus@list.nessus.org http://mail.nessus.org/mailman/listinfo/nessus