1 Reply Latest reply on Jun 14, 2011 6:52 PM by cgrim

    False Positives: Burden of Proof

      Hi folks, I'm looking to see if other folks have this problem. I am working with multiple teams (one each for scanning, engineering, QA, packaging, delivery, and all seperate from eachother and my own and this is just for MS patches) for a very large environment (thousands of machines). Dealing with issues is very challenging from a process perspective to say the least.

       

      My problem right now is that the folks making the patches are in a wholesale disagreement with the folks who run the scanning and I am in the middle escalating the problem to managment. I have compared the results of foundstone with what is in MBSA at the request of the engineering team and found some bulletins were not detected as missing by Foundstone (older ones from 2010/2009) and found some patches foundstone identified as missing. I handchecked one instance on my desktop and found it to be, as far as I can tell, a false positive as well.

       

      The biggest problem that client engineering has is toward superseding patches in that they believe that they are current having utilized bulletins that supersede bulletins, that then supersede previous bulletins. Foundstone's results are very strange in that when I took one sample and traced a whole superseding congo line back to 2009 I saw foundstone was detecting a missing patch but NOT detecting any missing patches from the bulletin that supersedes it. I.E. it appears foundstone is indicated that the patch that supersedes the previous patch is installed but it is still showing it vulnerable.

       

      The only thing I can think of is that some bulletins have 2 KB's, and those may list two different previous bulletins it superseded with one superseding the other. For example:

       

      Bullet A has two KB's, A1 and A2.

      Bulletin B superseded Bulletin C.

      A1 supersedes B.

      A2 supersedes C.

       

      If you install A1, logically, all should be fixed. I am having engineering confirm this with Microsoft.

       

      Have other folks had this problem, and have the mcafee folks seen this with other customers?

        • 1. Re: False Positives: Burden of Proof

          Hi Jamie,

           

          This is somewhat of a deep discussion - I don't have a real indepth answer for you except to say that MVM is a Vulnerability scanner...  MVM isn't in the patch management business , so it doesn't necessarily verify superseded Microsoft patches.  Most of the MVM Vulnerability scripts will confirm if a vulnerable file version exists on the target. 

           

          To get into specifics, you should open a Service Request.  If you've already done so please reply with the SR #, and I will take a look at it.

           

          Thanks!
          Cathy