For MS11-056/Q2507938, the GDR version of CONHOST.EXE for Windows 7 SP1 x86 is 6.1.7601.17617
Isn't there some way you can change your detection logic so that it doesn't compare GDR versions to LDR versions? It seems like every month there is at least one of these problems where it compares a newer GDR version to an older LDR version and concludes that the patch is missing. The first 2 digits of the last section of GDR versions are always different (lower) that the LDR versions. In this case, since CONHOST.EXE was > 6.1.7601.17617 and < 6.1.7601.21000, NetChk should know that MS11-056 is already installed.