M100849: Troubleshooting why a security bulletin status is reported as "Unknown / Not Analyzed"

The ManageSoft Security Manager security compliance reports show compliance information based security analysis information collected from each device. There are a range of situations which can cause a particular bulletin to be reported with an "Unknown / Not Analyzed" status on devices. This article describes some of these situations and troubleshooting steps which can be performed to identify why bulletins are being reported with this status. This article is particularly focused on troubleshooting problems with Microsoft bulletins whose names starts with "MS" (for example, MS07-069, and not OF_OLKINTL11).

This article applies to situations where a bulletin is reported:

  • With an "Unknown" compliance status in the "Summary for security bulletins applied to managed devices" report and a "Not Analyzed" status when drilling down from that report to the "Unknown compliance summary report for security bulletins applied to managed devices" report or
  • With a "Not Analyzed" status in the "Security patch compliance summary for managed devices" report or
  • With a "Not Analyzed" status in the "Compliance for security bulletins applied to managed device" report

Causes

Some typical causes of a bulletin being reported with a "Unknown / Not Analyzed" status are:

  • Security analysis has not been collected from the device since the bulletin was posted or last revised.
  • The wsusscan.cabfile on the managed device is not current.
  • The "Automatic Updates" service is disabled on the device.
  • A current version of the Windows Update Agent is not installed on the device.
  • The known reporting problem described in KB article 100850 (see link in the Related articles section below).

Troubleshooting and resolution

The following troubleshooting steps can be performed to identify whether any of the causes listed above are applicable to a particular device and bulletin.

Note: All paths specified here are based on defaults in an English environment. Modify these paths appropriately if you have a non-default or non-English setup.

  1. Check that the device has performed a security analysis since the bulletin in question was posted or last revised. This can be done by checking the "Device Analyzed On" date in the reports, and by checking the timestamp on any c:\Documents and Settings\All Users\Application Data\ManageSoft Corp\ManageSoft\Security Agent\Security Analysis\*.msa files on the device. If the timestamp on any of these files is newer than the "Device Analyzed On" time shown in the reports, this suggests that there has been some problem or delay uploading and importing the latest security analysis information in to the database. Try manually triggering a security analysis and following its upload and import through logs from the security and upload agents (typically stored in c:\WINDOWS\Temp\ManageSoft\SecurityAgent.log and c:\WINDOWS\Temp\ManageSoft\uploader.log respectively).
  2. Ensure that the timestamp on the c:\Program Files\ManageSoft\SecurityPatch\wsusscan.cab file is current in particular, it should have a more recent timestamp than the bulletin that is being reported with the "Unknown / Not Analyzed" status. If this file is not current, ensure that the wsusscan.cab file in the Security Patch Settings for Microsoft Windows package is current (this package is updated when security errata data is refreshed in the ManageSoft administration console), and look for any problems installing that package on the device. Typically such problems will be evident from logging generated in the installation agent log (c:\WINDOWS\Temp\ManageSoft\installation.log) while applying machine policy. If security errata data has been refreshed in the administration console but the wsusscan.cab file in the package is still not being updated, check that the Security Management URL to Windows Update Agent setting in the configuration console is set to "http://go.microsoft.com/fwlink/?LinkId=74689" as described in KB article 100788 (see link in the Related articles section below).
  3. Manually run Microsoft Baseline Security Analyzer (MBSA) sp2 to validate that it is operating correctly on the device. The exact command line that the ManageSoft

Comments

Powered by Zendesk