MBSA scan indicates more patches needed

(imported topic written by Mosbey91)

We have started an internal audit process that scans our endpoint clients using the MBSA utility. The endpoints are all Bigfix clients with the latest critical and important patches as supplied by Bigfix installed. When the MBSA scan completes it lists a good majority of the clients as “Severe Security Risk”. Upon further investigation we see that the MBSA is reporting several missing patches, MS0x-xxx, that need to be applied to the client to bring them into compliance. Using Bigfix we open the fixlets for the perticular MS0x-xxx patch and it indicates that it is not relevant for the client.

Can someone give me some advice on why the MBSA indicates a patch is needed and Bigfix indicates the same patch is not relevant? How do I know which one, the MBSA or Bigfix, is correct? How does Bigfix determine if the patch is needed vs. MBSA?

1 Like

(imported comment written by NoahSalzman)

Ben addresses this topic here:

http://forum.bigfix.com/viewtopic.php?id=2657

(imported comment written by SystemAdmin)

Mosbey, have you tried to install the patches that wsus shows as being needed? if so, were they indeed relevant - the hotfixes ran, completed successfully and now show as installed locally (add/remove programs) and by wsus?

(imported comment written by Mosbey91)

Sorry for the delay in my response. We do not use WSUS. We use Bigfix to patch microsoft endpoints. We just started using the MBSA to audit to see if the client is not at risk due to uninstalled patches. The MBSA runs on the clients and indicates that the client is at Severe Risk. When you audit the client through Bigfix there are no patches that apply.

How does Bigfix use releavance to determine if the Microsoft patch is needed? Is that analysis different than Microsoft?

(imported comment written by JackCoates91)

You can view the logic that BigFix is using by clicking the fixlet message and scrolling down on the details tab. Typically you will find that it’s using file existence and version in addition to registry key existence, whereas WSUS tends to simply use the registry key that a patch sets when it completes. It’s like the difference between reading labels and looking into the boxes.