Re: [Plugins-writers] Comment on NID:11157

From: MadHat (madhat@private)
Date: Fri Apr 15 2005 - 07:59:30 PDT

On Apr 15, 2005, at 9:50 AM, Michel Arboi wrote:
> On Fri Apr 15 2005 at 16:39, MadHat wrote:
>> So, the better solution would be to fingerprint the port better,
>> identifying OfficeScan as what is running
> Right
>> and not alert on it if it _is_ a valid app?
> trojan_horses.nasl already does this. Unfortunately, this does not
> eliminate all false alerts.

Right, if it is able to identify the port, it does not report it 
(unless I misread the nasl script).  So find_service2 or one of the 
others need to identify it.  nmap-service-probes file states that a 
"Trend Micro OfficeScan antivirus update client" responds to a GET 
request with a Server type of "OfficeScan Client" but I am not sure if 
that is this client or not, since I do not have access to it.

> So this plugin is disabled if "avoid FP" is set.


Plugins-writers mailing list

This archive was generated by hypermail 2.1.3 : Fri Apr 15 2005 - 07:59:58 PDT