PROBLEMThe scan results of GFI LanGuard for missing patches and / or service packs differ from those delivered by Microsoft's Update Service. In most cases this means that not all patches which were identified by the Microsoft Update Service as missing are detected by GFI LanGuard.
First it is necessary that you know that MOST - BUT NOT ALL Microsoft patches are supported by GFI LanGuard. The differences are discussed in the article:
Why does Windows update list patches that are not in GFI LanGuard?
- GFI LanGuard
- All supported environments
SOLUTIONFirst - determine if the patch is supported and is in GFI LanGuard's Patch Management Database:
- Security patches as well as 3rd party patches that GFI LanGuard supports are listed on the Languard Reports site. However, this does not include Microsoft Non-Security patches (of which there are about 25,000).
- Ensure that GFI LanGuard's program updates are up-to-date:
- Then open the Scanning Profiles Editor (Ctrl+P) in GFI LanGuard and search by Q-Number (same as KB number)
- If the scan results are coming from a GFI LanGuard agent, ensure it's program updates are up-to-date as well.
Note: As a check, you can run a custom scan of the agent machine using an interactive scan from the console (right-click computer -> Scan -> Custom scan to see if the results from the agent and from the console scan are the same.
If a patch or Service Pack is supported and still not detected by GFI LanGuard, the following steps should be performed to troubleshoot the cause of the issue:
- If the patch is a Microsoft Security Patch with a Bulletin ID in the form MSyy-nnn (ex. MS15-005), download and scan the machine using Microsoft's MBSA as described in the article How to use the Microsoft Baseline Security Analyzer (MBSA). LanGuard uses the same technology that Microsoft uses including the exact same offline scanning file (wsusscn2.cab)
If the above steps could not deliver any explanation for the patch not being recognized as missing by GFI LanGuard, please contact our technical support team via http://support.gfi.com/supportrequestform.asp to inform us about the problem. Please include all information related to the patch or service pack as well as the information gathered during the troubleshooting process.
CAUSEGFI LanGuard is designed to focus on security aspects of an IT environment. Since this also applies to the detection process of missing patches, GFI LanGuard will only detect missing patches which are relevant to the security of a system, network or application.
Further to this general distinction between security relevant and non security relevant patches, all updates are being reviewed by our security research team before being implemented in the patch database for GFI LanGuard. During this process some patches might be considered as non critical and therefore not applicable to the system s security or ruled out due to other considerations. In that case these patches will not be supported by GFI LanGuard.
GFI maintains a complete list of all supported patches and Service Packs by GFI LanGuard. This list can be found here.