Thanks for actually digging into the false positive to see the tool was working right. We get quite a lot of people that simply take everything for face value. Stuff like "I disabled DCOM but the tool says I am still vulnerable." but they "disabled DCOM" on Win2k sp0,sp1,sp2, and therefore it does not really disable it so the tool is still correct.... If you do find any valid problems though let us know as we definitely do not want bugs within the tool, but mistakes happen. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: Jonathan Bloomquist [mailto:bocasolutionsat_private] | Sent: Wednesday, August 13, 2003 10:13 AM | To: incidentsat_private | Subject: RE: MSBLASTER Infecting despite 03-026 patch? | | | I have been using the Retina DCOM scanner and it is | working very well. After patching some systems, they | still scanned as vulnerable. On NT, we were using the | presence of the registry key | HKLM\Software\Microsoft\Windows NT\Current | Version\Hotfix\Q823980 to verify that the workstations | were patched, but I found a workstation that had the | registry key, but still scanned as vulnerable. | | Apparently something interfered with the installation | before the .dlls or .exe could be loaded but after the | registry key was created. Repatching the affected | systems fixed them. | | This seemed to happen on workstations that were not up | to service pack 6a. The hotfix would terminate and | the user would reboot without noticing the error. | | --- Marc Maiffret <marcat_private> wrote: | > I cant speak for the other tools but Retina's latest | > version of the check | > should be rather accurate. If your having any | > problems though let me know. | > | > Signed, | > Marc Maiffret | > Chief Hacking Officer | > eEye Digital Security | > T.949.349.9062 | > F.949.349.9538 | > http://eEye.com/Retina - Network Security Scanner | > http://eEye.com/Iris - Network Traffic Analyzer | > http://eEye.com/SecureIIS - Stop known and unknown | > IIS vulnerabilities | > | > | -----Original Message----- | > | From: Carter, Mike | > [mailto:Mike_Carterat_private] | > | Sent: Monday, August 11, 2003 10:35 PM | > | To: Charles Hamby; incidentsat_private | > | Subject: RE: MSBLASTER Infecting despite 03-026 | > patch? | > | | > | | > | This is something that really worries me, I've | > heard it to. | > | Also I am getting conflicting results when | > scanning for the patch | > | installation. I've been using MBSA, GFI LANguard | > and Retina which all | > | tell me something different. | > | Which one should I trust?? | > | Or is there something else I should be using? | > | | > | Thanks | > | Mike | > | | > | -----Original Message----- | > | From: Charles Hamby [mailto:fixerat_private] | > | Sent: Tuesday, August 12, 2003 5:13 PM | > | To: incidentsat_private | > | Subject: MSBLASTER Infecting despite 03-026 patch? | > | | > | | > | I have seen, and have heard other reports of, | > msblaster.exe worm | > | infecting a Windows computer that had the proper | > KB patch specified by | > | the 03-026 advisory. In the instance I personally | > saw it was a Windows | > | XP Professional workstation that was completely | > patched. The person who | > | used the workstation was surprised that they were | > infected since they | > | has applied the patch and I verified (via | > Add/Remove Programs) that they | > | did, indeed have the proper patch applied. I | > checked with my parent | > | organization and they had been receiving sporadic | > reports of patched | > | machines being infected despite being patched. | > Unfortunately I removed | > | the worm from the computer without copying it so I | > don't have a backup | > | of it for analysis. | > | | > | | > | | > | Has anyone else been seeing this phenomenon or do | > they have any idea why | > | this might have or might be happening? I know for | > a fact the patch that | > | was used came straight from Microsoft so I don't | > suspect a faulty patch. | > | | > | | > | Charles Hamby | > | | > | | > | | > | ------------------------------------------------------------------------ | > | --- | > | | > | ------------------------------------------------------------------------ | > | ---- | > | | > | | > | | > | ------------------------------------------------------------------ | > | --------- | > | | > | ------------------------------------------------------------------ | > | ---------- | > | | > | | > | > | > | ------------------------------------------------------------------ | --------- | > | ------------------------------------------------------------------ | ---------- | > | > | > | | | ===== | Jonathan Bloomquist, CISSP | | __________________________________ | Do you Yahoo!? | Yahoo! SiteBuilder - Free, easy-to-use web site design software | http://sitebuilder.yahoo.com | | ------------------------------------------------------------------ | --------- | ------------------------------------------------------------------ | ---------- | | | --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 11:57:03 PDT