AnsweredAssumed Answered

MS vulnerability detections

Question asked by James Hamill on Jan 4, 2017
Latest reply on Jan 9, 2017 by Robert Dell'Immagine

Hi, I compile monthly security packs for the business and Qualys reports are heavily featured. One of the reports I run is a 3 month trend based on the last 3 server patching baselines. Each monthly baseline is configured as a search list. These search lists are referenced in the report. 


Previous reports have seen three spikes that represent the release of MS patches on Patch Tuesday. We then see a decrease in detections as we remediate our server environment. Example below:


Our most recent trend report included the baselines for September, October & November 2016. However we found that the number of detections increased each month. A screenshot of this trend report can be seen below. 


For instance the top detected vulnerability is MS16-120. Our patching solution, Landesk, suggests that the patch installed successfully and hopping onto the server itself and looking at installed updates it would appear that the update has been installed. 


Qualys is detected it as vulnerable because %windir%\system32\win32k.sys Version is 6.1.7601.23528 which is true. 

I'm trying to ascertain if it's a patch installation issue or a reporting issue. We've not made any changes to our patch process since the first graph was generated. 

Anyone have any ideas? Has anyone experienced anything similar? Wondering if it is related to the new MS cumulative updates in any way?