Security Incidents mailing list archives

RE: New Version of Retina Nimba Scanner

From: bparis () sorrentolactalis com
Date: Fri, 21 Sep 2001 16:09:41 -0400

I'm seeing false positives from boxes that are sharing our their attached HP
printers.

Although the false positives were a little annoying, the tool did reveal
some shares that were infected with Nimba that we had first missed with
other tools.

William S. Paris
Telecommunication/Network Analyst
Sorrento Lactalis Inc.
bparis () sorrentolactalis com


I just ran this scanner and am picking up more false positives than real
infections. Not only did it pick up all my Macs (they arent even running
Dave or have any SMB shares), it picked up my indigo and my Snap Server
(tell me how a snap server gets infected by this?). I realize that
diagnosing these things is a shot in the dark - but, telling me "open
guest share" when the machine is not sharing anything (or even listening
on 139) is kinda a mis-nomer an a cause for panic (130 "infected" out of
253 possible)...anyone else seen this kind of false positive from the
scanner?

-John Stauffacher

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New Version of Retina Nimba Scanner info (Sep 21)
- <Possible follow-ups>
- RE:New Version of Retina Nimba Scanner John Stauffacher (Sep 21)
- RE: New Version of Retina Nimba Scanner bparis (Sep 21)
- RE: New Version of Retina Nimba Scanner Marc Maiffret (Sep 25)