RE: New Version of Retina Nimba Scanner

From: Marc Maiffret (marcat_private)
Date: Tue Sep 25 2001 - 07:43:27 PDT

Next message: Patrick Andry: "Re: Hacked using vulnerable FTP daemon."

Previous message: venomous: "Nimda and others filter for apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

just as a heads up guys... I just got back from Japan and have been going
through the retina nimda scanner with the guys here and were cleaning it up
to make it MUCH more accurate (i.e. less false positives) and we should have
a new version out today. the documentation will more clearly explain the
results which was where some got confused.

sorry for the inconvenience.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: ckat_private
| [mailto:ckat_private]On Behalf Of Christian Kuhtz
| Sent: Sunday, September 23, 2001 5:13 PM
| To: Andrew Calo
| Cc: info; incidentsat_private; security-basicsat_private
| Subject: Re: New Version of Retina Nimba Scanner
|
|
|
| This is no different than eEye's CodeRed scanner which didn't give you a
| trustworthy indication whether CodeRedII was actually present.  It would
| recognize the cmd.exe backdoor and whine about CR2 being present,
| which wasn't
| neccessarily true at all (various other exploits created the same
| backdoors).
|
| Given the difficulty in detecting an infection with high confidence, more
| accurate reporting would go a long ways to improving the
| credibility of these
| scan tools.
|
| Andrew Calo wrote:
| >
| > This scanner reports many boxes that aren't infected as
| infected. Terribly
| > deceiving.
| >
| > At 05:31 PM 9/20/2001 -0700, info wrote:
| > >A new version of Nimda Scanner has just been posted to the
| eEye web site
| > >that will also detect open shares on systems which is a common
| trait of an
| > >infection.
| > >
| > >http://www.eeye.com/html/Research/Tools/nimda.html
| > >
| > >Signed,
| > >eEye Digital Security
| > >T.949.349.9062
| > >F.949.349.9538
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Patrick Andry: "Re: Hacked using vulnerable FTP daemon."
Previous message: venomous: "Nimda and others filter for apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 08:31:05 PDT