Addressing some Vulnerability Assessment Gaps: BigFix and Qualys Integration

I wanted to share some insights and seek advice regarding an issue we’ve encountered while integrating BigFix with Qualys for vulnerability assessment and remediation.

Our current project involves using BigFix for patch management and remediation of vulnerabilities identified by Qualys on client systems. While BigFix has been effective in applying patches, we’ve noticed a recurring issue where Qualys scans still detect vulnerabilities post-patching, particularly related to superseded patches. (Most can be manually resolved by deleting some registry entries, reinstalling the latest version, etc.)

I appreciate any experiences or solutions you can share regarding this issue.

My issue might be the same as this forum post: BigFix has X number of KB Fixlets relevant & Qualys states 6 times that?
Patch a supersed patch shouldn’t be a point since the latest updates have already been installed.

Are there any suggestions? My idea is that I need to manually kill all of the vulnerability by Fixlets and Tasks.

It’s a common challenge to encounter discrepancies between different vulnerability assessment tools. Each tool uses its own detection criteria, which can lead to conflicts and false positives. This is a widespread issue in organizations that rely on multiple vulnerability assessment tools.

And yes, manually cross validation of vulnerabilities is required if you are considering other tool over BigFix detection.

However if only supersedence is under consideration and if its also showing as applicable in BigFix as well, you might want to check the following setting.