Security Basics mailing list archives
RE: Backported patches - vulnrability scanning
From: "Sergile, Alain (ISS Atlanta)" <asergile () iss net>
Date: Fri, 9 Jan 2004 12:02:14 -0500
Eric Good Luck, Most scanners depend on banners for revision checks, and or run behavioral checks (checks that can distinguish b/w an unpatched and patched system based on the response received)to determine version. Unfortunately as you mentioned patches typically do not update the rev. of the app/Os in the banner and in these cases behavioral checks tend to be more accurate if available. Unfortunately behavioral checks may not be feasible. FP's on banners tend to be more relevant for *NIX platforms. As much as M$ gets bashed, they do a good job of updating the information on there systems whether it be in the banner, dll or registry, the issue then becomes whether or not a scanner is able to access that information in M$. When scanning a windows box with a scanner the best results occur when you have admin access to the machines being scanned, which can be difficult to get in many corp. environments. Admin access allows the scanner to look in the registry and access the pertinent .dll's to look at file versions. Short answer, there isn't a scanner that doesn't FP on back ported daemons when looking at banners. I will defer to others in this group to discuses how their security teams manage the issue. Alain Sergile Internet Security Systems -----Original Message----- From: Eric Appelboom [mailto:eric () mweb com] Sent: Friday, January 02, 2004 2:43 AM To: security-basics () securityfocus com Subject: Backported patches - vulnrability scanning Hi, I am looking for a scanner that does not false positive on deamons that have Been back ported (patched) and still keep the same banner versions. How do security teams keep track of what is current or backported as I am finding it a problem. One soloution of course is to have a policy to always use current released builds in Production. (cough) Any other ideas? Cheers Eric ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Backported patches - vulnrability scanning Eric Appelboom (Jan 02)
- <Possible follow-ups>
- RE: Backported patches - vulnrability scanning Sergile, Alain (ISS Atlanta) (Jan 09)
- RE: Backported patches - vulnrability scanning Kevin Johnson (Jan 12)