Other scanning tool report vs BigFix relevance check

Hi list,

We had been asked a couple of time by security folk saying that they use a certain scanning
tool (eg Microsoft Baseline Security Analyzer) and there is missing patches flag out by the
sanning tool, but in BigFix it is not applicable.

In this type of situation, how do you normally go about troubleshooting who is right or wrong?

What is the norm practice? Do I open a PMR to support?

Any advise welcome.
Thanks
Eng Keat

1 Like

I’ve had similar “debates” with our Security group. The place I would start is looking to see if the content they are concerned about has been Superseded. If it has been, then it might not have been installed, and might not actually need to be installed. I don’t know how the Microsoft Baseline tool handles superseded content.

Get the list of “missing” content, and check for it in BigFix. See if it is listed as Superseded.

Also be aware of when the data was generated. Most of the Microsoft tools require that a Scan be run, so you have a point in time report. BigFix is more RealTime.

In more than a decade of use, I have yet to find a case of BigFix saying that a patch is not needed where it really was needed (barring inaccurate relevance).

2 Likes

Sometimes the relevance is incorrect at first because of edge cases, but that is corrected very quickly when it happens, and it is extremely rare.


You can run a check for windows updates and save the output with BigFix as a form of double checking. I have content for it:

Thanks for the advice

This came up a lot during WannaCry between us (bigfix) and Security. They used Nessus (sp?) and had tons of reports that the patch was missing but bigfix said it was on. We even logged onto those machines and ran the relevance in QNA by hand to make sure. We found that Bigfix generally does not lie… But sometimes the scans look for superseeded stuff, or the PCs have not been rebooted and the patch is not showing on those scans but bigfix knows they’ve been patched… In very few cases we found patches would not “take” regardless of by bifgix or byhand and reimaged - but in that case both BF and nessus reported unpatched.
I trust BF over all those scans based on using it for many years and not having it lie to me yet !

1 Like

This is a good point, if the patch has been applied, but the system hasn’t rebooted, then it is in this inbetween state where it is likely still vulnerable but will no longer be on reboot. This can cause some legitimate discrepancies for a short time.

I’ve encountered this situation when Nessus and the Security team flag a vulnerability/missing patch from a fixlet that is not relevant due to a missing pre-requisite.

Eg: if an older server was missing something like a servicing stack update, other fixlets were never relevant and thus patches were not applied.

The windows team want to focus more on Security patches and not other classes so this has happened in a few cases where I had to push to have non-Security patches installed to enable a Security patch being flagged missing.

Some issues arise with MS Patches in general, for example: our organization could not install Patches due to ACCESS DENIED Microsoft Error code (80070005). Using Process Monitor (Sysinternals) with BOOT logging on revealed that the update was trying to update USBSTOR.INF, which we had denied SYSTEM access to via GPO as part of a homemade DLP solution. There are many cases where updates will not take and I agree that both BigFix and a VA scanner would flag in that case. However, my current issue is that BigFix shows relevant, but my Nessus V Scanner does not show as a finding. This is the case for some MS14, MS15, & MS16 patches so far. I even have my Nessus scan policy set to “show superseded patches”., however, they do not show up. I have had more issues using the Nessus NASL scripts than BigFix relevancy. The problem is that we use our Nessus tool for our primary reporting function, BigFix is just in the background. How can I show what is correct?