AnsweredAssumed Answered

QID Detection Logic: Patch vs Registry Key missing

Question asked by Abner Almeida on Oct 31, 2017
Latest reply on Nov 1, 2017 by adamc

Hello, colleagues

 

I'd like to understand how exactly Qualys detects QID 100319.

We've recently run twice into a situation in which this QID was detected on a server, as follows:

 

As you guys can see, there're two Registry Keys missing.

But, according to Microsoft, KB4038777  has been superceded by KB4041681, as follows:

 

And this KB4041681 is installed on the server:

 

The interesting thing here is that I asked Windows team to manually create both of those registry keys shown above and set them as equal to 1.

After that, I ran another scan and, guess what... the vulnerability was no longer detected!

Check this out:

 

The remediation ticket got closed

 

The big questions are:

- Shouldn't the more recent patch also create/change the registry key values?

- Shouldn't Qualys search for patches that have been superceded?

- It seems like Qualys ignored the fact that a more recent patch was installed and, considering it didn't find those registry keys, it accused the server as vulnerable. Is this behaviour correct?

Outcomes