[Plugins-writers] Improving local checks

From: PaJohnston@private
Date: Mon Mar 27 2006 - 05:47:54 PST


Hi,

I've just run Nessus and Security Expressions against a bunch of Windows machines and done some analysis on the results. I was only interested in the Windows local checks. On the whole, Nessus had better coverage, e.g. finding Flash Player flaws. However, SE wins when it comes to identifying missing Windows patches. 

The main reason for this is that Nessus does not understand that some patches supercede others. I think I have mentioned this here before. I have an idea for fixing this, and I'd suggest starting with the recent cumulative IE patches (MS06-004, MS05-054, MS05-052, MS05-038, MS05-025 and MS05-020). Unfortunately I don't have time to implement and test this. The plan is: make plugins dependent on any plugins that supercede them (e.g. MS05-054 becomes dependent on MS06-004). This means removing some dependencies already listed, but I don't think that will cause a problem. Make plugins set a kb value if the patch is present (e.g. SMB/Hotfix/MS06-004). It seems some plugins do this already, but not all of them. Finally, add to the beginning of the plugin a check to see if the superceded patch is present. If it is, set the kb value to say the current patch is present, to support chains of superceded patches.

For MS04-044, Nessus failed to report this, because it looks at "Ntkrnlmp.exe" instead of "NToskrnl.exe". The box in question is a single processor system.

Another issue appeared for MS05-044, on a W2k box with IE6, but not IE-SP1. SE doesn't report it, as the patch is marked as affecting IE-SP1 only. Nessus does report it. I'm really not sure who's right here.

Also, local checks failed for two systems, without any apparent reason. I know the credentials are correct, and SE worked correctly. Unfortunately I didn't notice the failure until my testing window had passed.

Anyway, I hope sharing these results it useful to you.

Best wishes,

Paul

--
Paul Johnston
Technical Specialist Support Services
Group Information and IT Risk
HBOS Plc

PAJohnston@private
Desk:   0113-235-3071 (7581-53071)
Mobile: 07766-740756

-- 

------------------------------------------------------------------------------
HBOS plc, Registered in Scotland No. SC218813. Registered Office: The Mound, Edinburgh EH1 1YZ. HBOS plc is a holding company, subsidiaries of which are authorised and regulated by the Financial Services Authority.
==============================================================================

_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Mon Mar 27 2006 - 05:57:29 PST