[Plugins-writers] Re: Improving local checks

From: Renaud Deraison (deraison@private)
Date: Mon Mar 27 2006 - 06:26:48 PST


Hi,

On Mar 27, 2006, at 8:47 AM, PaJohnston@private wrote:

>
>
> The main reason for this is that Nessus does not understand that  
> some patches supercede others.

Actually, Nessus does understand patches being superceded and has  
provisions for that. However, in the case of the advisories you're  
pointing out, this provision was not done -- it's now fixed, thanks.

It's also worth noting that this problem would not happen if you had  
given Nessus credentials to connect and read to C$ (ie: administrator).


>
> For MS04-044, Nessus failed to report this, because it looks at  
> "Ntkrnlmp.exe" instead of "NToskrnl.exe". The box in question is a  
> single processor system.

Thanks, this is fixed as well. However note that this check was only  
used for NT4, which is now unsupported by Microsoft. There are many  
unpatched flaws in this version.


>
> Another issue appeared for MS05-044, on a W2k box with IE6, but not  
> IE-SP1. SE doesn't report it, as the patch is marked as affecting  
> IE-SP1 only. Nessus does report it. I'm really not sure who's right  
> here.

We will investigate this. Once again, the best way to be sure is to  
use admin credentials which can then get the exact version of the  
affected DLL (instead of relying on the registry).

>
> Also, local checks failed for two systems, without any apparent  
> reason. I know the credentials are correct, and SE worked  
> correctly. Unfortunately I didn't notice the failure until my  
> testing window had passed.


Please send us a full pcap capture of the scan of these hosts.



Thanks,

						-- Renaud
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Mon Mar 27 2006 - 06:27:43 PST