I'd like to understand how exactly Qualys detects QID 100319.
We've recently run twice into a situation in which this QID was detected on a server, as follows:
As you guys can see, there're two Registry Keys missing.
But, according to Microsoft, KB4038777 has been superceded by KB4041681, as follows:
And this KB4041681 is installed on the server:
The interesting thing here is that I asked Windows team to manually create both of those registry keys shown above and set them as equal to 1.
After that, I ran another scan and, guess what... the vulnerability was no longer detected!
Check this out:
The remediation ticket got closed
The big questions are:
- Shouldn't the more recent patch also create/change the registry key values?
- Shouldn't Qualys search for patches that have been superceded?
- It seems like Qualys ignored the fact that a more recent patch was installed and, considering it didn't find those registry keys, it accused the server as vulnerable. Is this behaviour correct?