Overview
GFI LanGuard console or Agent scans are reporting that critical Windows updates and patches are missing for the scanned servers and client machines, yet Windows Update check cannot find any new update on that computers as they are fully patched. Some of these updates LanGuard is detecting are several months old.
Solution
LanGuard uses the Microsoft-developed tool Windows Update Agent (WUA) to detect all missing and installed Microsoft patches by providing it a freshly downloaded copy of the WSUS offline Scan Package wsusscn2.cab. WSUS is intended for domain IT and Security departments to use and is not the same as the Windows Update service on Windows Operating Systems. Updates available through Windows Updates may be different than the updates offered through WSUS.
LanGuard uses the same functionality as Microsoft Baseline Security Analyzer (MBSA), and it should return the same results as long as the LanGuard Patch Management Database is up to date. A quick modern alternative to MBSA’s patch-compliance checking is Using WUA to Scan for Updates Offline, which includes a sample .vbs script. For a PowerShell alternative, see Using WUA to Scan for Updates Offline with PowerShell.
The preceding scripts leverage the wsusscn2.cab to perform a scan and get the same information on missing updates as LanGuard.
If the results are the same, that means that the patches are indeed missing, and either were not included by Microsoft in the Windows Updates list, or the target machine has problems with Windows Update accuracy. You should deploy the updates, or resolve this with your systems administrator or Microsoft support, or ignore following the steps in the Ignoring Specific Vulnerabilities in Scans article.
In case the results actually differ, it is possible that the wsusscn2.cab file present on the target machine is corrupted or not up to date, or there is a problem with the LanGuard backend database.
-
The updated definitions are only provided to the latest LanGuard version. If you are still using the older version - Upgrade the GFI LanGuard.
-
Follow the Updating LanGuard Server Manually When Product Does Not Get Latest Definitions or Agents Do Not Update article to ensure you have the most recent definitions and the correct wsusscn2.cab file.
- If you are using Agents, they should automatically update at the start of the next scan. You can manually initiate an agent scan by right-clicking on the target machine or group of computers in the Computer Tree and selecting Scan > Refresh information now. The success can be verified by navigating to Activity monitor -> Progam updates and checking the Agent updates tab. Agent updates need to be showing as successful for the affected target clients. If not, Fix LanGuard Agent Failed Updates.
- Perform a full scan on the target machine(s). Validate if the updates in question are still detected as missing.
- If the update is still showing as missing, although it is not, there may be issues with updating scan results in the SQL database or retrieving the information for display on the dashboard. Review the recommendations from our Maintaining the SQL Database Used by LanGuard article.
Testing
Perform a full scan on the target machine(s) and see if the problem is solved. If the issue persists, contact GFI LanGuard Support.