AnsweredAssumed Answered

QID:110307, which user hive is agent looking at?

Question asked by Jeff Davis on Jan 5, 2018
Latest reply on Mar 1, 2018 by DMFezzaReed

When the Qualys agent detects QID:110307 - "Microsoft Office Dynamic Data Exchange (DDE) Vulnerability (KB 4053440)", it lists several missing registry settings in HKCU.  Since there are multiple user profiles/registry hives on the machine, which hive is Qualys looking at to determine the machine is vulnerable?  I have tried adding the settings for my user account on a machine but Qualys still shows it as vulnerable.  Surely it is not scanning all the user profiles?  If it is, this is a mess to remediate.

 

Here is a sample results section from one machine:

 

Results:
C:\Program Files (x86)\Microsoft Office\Office14\\EXCEL.exe found
HKCU\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Excel\Security WorkbookLinkWarnings is missing.
C:\Program Files (x86)\Microsoft Office\Office14\\outlook.exe found
HKCU\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Word\Options\WordMail DontUpdateLinks is missing.
C:\Program Files (x86)\Microsoft Office\Office14\\winword.exe found
HKCU\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Word\Options DontUpdateLinks is missing.

Outcomes