How OESIS determines Severity of GetMissingPatches for WUA

Overview

The Windows Update Agent (WUA) functionality—particularly the GetMissingPatches method—in MetaDefender Endpoint Security SDK relies directly on Microsoft’s WUA API. When this method is invoked, SDK collects the list of missing patches reported by WUA, converts the data into a standardized JSON format, and returns it in the json_out object.

This article explains how the severity field in result.patches[] is determined during this process.

How the SDK retrieves severity

Primary Source

Info

These values are passed through without modification. The SDK does not recalculate or reinterpret them.

Our SDK retrieves patch severity mainly from Microsoft WUA API. Severity values are based on the official Microsoft Security Response Center (MSRC) rating scale:

Value

Description

critical

A security issue whose exploitation could allow the propagation of an Internet worm without user action.

important

A security issue whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data, or of the integrity or availability of processing resources.

moderate

Exploitation is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

low

A security issue whose exploitation is extremely difficult, or whose impact is minimal.

unknown

If there is any issue, it will be classified as unknown.

Fallback Behaviour

If our SDK cannot retrieve the official severity (e.g., the Windows Update API fails or times out), it falls back to Microsoft’s Windows Update classification model and infers severity from the patch’s category.

1. Category-Based Mapping

For any patch in these categories, our SDK sets severity to important:

  • critical_update

  • update_rollup

  • service_pack

  • definition_update

  • security_update

2. Optional vs. Recommended

For patches in these categories:

  • update

  • feature_pack

  • tool

our SDK assigns:

  • important — if Windows Update marks the patch as Recommended

  • unknown — if Windows Update marks the patch as Optional

Example Output

The following is an example of the simplified json_out output generated by the GetMissingPatches method:

{ "result": { "method": 1013, "signature": 1103, "patches": [ { "title": "Update for Microsoft Office 2016 (KB5002623) 64-Bit Edition", "description": "Microsoft has released an update ...", "category": "critical_update", "severity": "important", ... }, { "title": "Broadcom Inc. - Display - 9.17.9.4", "description": "Broadcom Inc. Display driver update released in December 2024", "category": "driver", "severity": "unknown", ... } ], ... } }

References

Support

If further assistance is required, please proceed to log a support case or chatting with our support engineer.