Verifying Patches

The information that Tenable plugins provide to enumerate software versions can be used to verify that authorized software is updated with the latest patches. The Patch Report (66334) Plugin summarizes a list of patches that need to be installed and enabled on an asset. Use this plugin to track how often a patch assessment is made over time or to extract the data to perform analysis.

The following image is the plugin output from plugin 66334 for a Windows asset:

The following image is the plugin output from plugin 66334 for a Mac OS Asset:

The following image is the plugin output from plugin 66334 for Linux Asset:

Note: There are often instances where a patch has been applied but is still reported in plugin 66334, or the plugin will fire for the individual patch. The patch is still being reported as a vulnerability because although the patch has been applied, another step is required to fully enable the patch. The additional step could require a reboot, a registry key, or a GPO change. Patch management solutions such as SCCM or WSUS may also report the patch as applied and the asset not vulnerable, but Tenable reports the patch as missing because the patch is not fully enabled.

Following are some suggested filters to find these instances of patches that are not fully enabled. Note that Plugin Output in Tenable Vulnerability Management is Vulnerability Text in Tenable Security Center.

SCCM or WSUS report that patch has been applied
- Plugin Output contains SCCM: NOT Vulnerable
- Plugin Output contains SCCM: NOT Vulnerable
Reboot required
- Plugin ID equals 35453
- Severity equals High
Registry change required (Tenable Vulnerability Management)
- Severity equals Medium, High, Critical
- Plugin Output contains HKLM
- Plugin Output contains registry
Registry change required (Tenable Security Center)
- Severity equals Low, Medium, High, Critical
- Only required in Tenable Security Center: Plugin Type equals Active
- Vulnerability Text Regex Match HKLM|HKU|HKCU|Registry