RE: Backported patches - vulnrability scanning

["Sergile, Alain (ISS Atlanta)" <asergile () iss net>]

Eric Good Luck,

Most scanners depend on banners for revision checks, and or run
behavioral checks (checks that can distinguish b/w an unpatched and
patched system based on the response received)to determine version.
Unfortunately as you mentioned patches typically do not update the rev.
of the app/Os in the banner and in these cases behavioral checks tend to
be more accurate if available. Unfortunately behavioral checks may not
be feasible. FP's on banners tend to be more relevant for *NIX
platforms. As much as M$ gets bashed, they do a good job of updating the
information on there systems whether it be in the banner, dll or
registry, the issue then becomes whether or not a scanner is able to
access that information in M$. When scanning a windows box with a
scanner the best results occur when you have admin access to the
machines being scanned, which can be difficult to get in many corp.
environments. Admin access allows the scanner to look in the registry
and access the pertinent .dll's to look at file versions. Short answer,
there isn't a scanner that doesn't FP on back ported daemons when
looking at banners. 

I will defer to others in this group to discuses how their security
teams manage the issue.

Alain Sergile
Internet Security Systems

-----Original Message-----
From: Eric Appelboom [mailto:eric () mweb com] 
Sent: Friday, January 02, 2004 2:43 AM
To: security-basics () securityfocus com
Subject: Backported patches - vulnrability scanning



Hi,

I am looking for a scanner that does not false positive on deamons that
have Been back ported (patched) and still keep the same banner versions.

How do security teams keep track of what is current or backported as I
am finding it a problem.

One soloution of course is to have a policy to always use current
released builds in 
Production. (cough)

Any other ideas?
Cheers
Eric




------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------