There are some known issues when the checking mechanism relies on the registry to verify the check. See Paul Schmehl's post on full-disclosure for a bit more details: http://marc.theaimsgroup.com/?l=full-disclosure&m=105960468505722&w=2 -- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 On Tue, 12 Aug 2003, Carter, Mike wrote: > This is something that really worries me, I've heard it to. > Also I am getting conflicting results when scanning for the patch > installation. I've been using MBSA, GFI LANguard and Retina which all > tell me something different. > Which one should I trust?? > Or is there something else I should be using? > > Thanks > Mike > > -----Original Message----- > From: Charles Hamby [mailto:fixerat_private] > Sent: Tuesday, August 12, 2003 5:13 PM > To: incidentsat_private > Subject: MSBLASTER Infecting despite 03-026 patch? > > > I have seen, and have heard other reports of, msblaster.exe worm > infecting a Windows computer that had the proper KB patch specified by > the 03-026 advisory. In the instance I personally saw it was a Windows > XP Professional workstation that was completely patched. The person who > used the workstation was surprised that they were infected since they > has applied the patch and I verified (via Add/Remove Programs) that they > did, indeed have the proper patch applied. I checked with my parent > organization and they had been receiving sporadic reports of patched > machines being infected despite being patched. Unfortunately I removed > the worm from the computer without copying it so I don't have a backup > of it for analysis. > > > > Has anyone else been seeing this phenomenon or do they have any idea why > this might have or might be happening? I know for a fact the patch that > was used came straight from Microsoft so I don't suspect a faulty patch. > > > Charles Hamby > > > ------------------------------------------------------------------------ > --- > ------------------------------------------------------------------------ > ---- > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:48:30 PDT