Vulnerability false positive

[Andrea Consadori]

Hello,

on a windows 2016 server Wazuh tell me "KB4512517 patch is not installed" and it wrong because this KB has been included in KB5004948 that is installed.

it's a bug?

how to manage it?

[Marcel Kemp]

Hi Andrea,

The problem in this case is that the MSU feed was out of date, so there was no correlation where the patch KB5004948 was supersedence of KB4512517, and that caused it to show you the vulnerability. 

To fix it, we just updated the MSU feed, so having the default configuration on the MSU (when the time set in update_interval has expired), it will check that there is a new version and it will automatically update the feed, thus fixing the problem.

If you want to check if you have the updated feed, you can execute the following command in the manager:

sqlite3 /var/ossec/queue/vulnerabilities/cve.db "select sha256 from metadata;"

And if the output is equal to the following hash, then it will be updated and those false positives will no longer appear in the next scan:

9810e713f86fad1ce1cb9563de75beaeca9aac6c24ddd6f0bbbe2ebe94a0d1be

Sorry for the inconvenience.

If you have any questions, do not hesitate to ask questions.