BigFix has X number of KB Fixlets relevant & Qualys states 6 times that?

Hi there,

Bigfix indicates we have X number of Micorsoft KB fixlets relevant in our Windows Server estate. We are using Qualys for vulnerability reporting and it states we require about 6 times the KB’s showing in Bigfix.

Is it possible to pull these KB’s Qualys is reporting in from BigFix, then edit the relevance of respective KB’s to make them relevant?

Cheers

My guess would be that Qualys is counting superseded patches and BigFix is not.

You could make copies of the superseded patches and remove the “false” relevance from them to make them relevant again (or follow Aram’s advice below).

2 Likes

We have this fight with Tenable/Nessus every month. Yes they count superseded as not installed. They are still disputing Meltdown/Spectre supersedes from last year.

1 Like

If in fact the issue is due to supersedence (which is certainly possible, and relatively easy to confirm), an alternative approach to modifying the relevance is to have the BigFix Client evaluate newer superseded patches by modifying a Client setting (_BESClient_WindowsOS_EnableSupersededEval=1).

Please see Pre-Announcement: Superseded patch changes for Patches for Windows for more information.

Of course, if this is the case, and you apply the most recent patches that show as applicable via BigFix, it should drop the number of applicable patches in the vulnerability management scanner quite significantly.

1 Like

Thank you to each of you for your inputs/replies. This is what we had been thinking but needd to check. Cheers

Specific to Meltdown/Spectre vulnerabilities…several of them require registry entries in addition to installing the patches, depending on OS. For instance Microsoft was enabling the mitigations by default on Win10 but disabling by default on Server. I believe there are Tasks to “Enable” and “Disable” mitigations. If the registry flags aren’t set Qualys may (correctly) still report vulnerable. In my environment we used Nessus and were flagged on it.

Edit: See Fixlets 407269801 and 407311901 in Patches for Windows

I have used qualys to find out the vulnerability report and I can confirm that qualys report shows superseded patch which is really not required and BigFix won’t shows superseded patch applicable.

In my previous projects,Just out of curiosity I tested the superseded patch manually which was showing applicable in qualys report and patch didn’t installed as it says latest updates is already installed.
Hence would recommend to not depend on qualys report as it is not 100% accurate and it can create alot of confusion.

Regards,
Manish Singh