Security Incidents mailing list archives

RE: New Version of Retina Nimba Scanner

From: "Marc Maiffret" <marc () eeye com>
Date: Tue, 25 Sep 2001 07:43:27 -0700

just as a heads up guys... I just got back from Japan and have been going
through the retina nimda scanner with the guys here and were cleaning it up
to make it MUCH more accurate (i.e. less false positives) and we should have
a new version out today. the documentation will more clearly explain the
results which was where some got confused.

sorry for the inconvenience.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: ck () localhost arch bellsouth net
| [mailto:ck () localhost arch bellsouth net]On Behalf Of Christian Kuhtz
| Sent: Sunday, September 23, 2001 5:13 PM
| To: Andrew Calo
| Cc: info; incidents () securityfocus com; security-basics () securityfocus com
| Subject: Re: New Version of Retina Nimba Scanner
|
|
|
| This is no different than eEye's CodeRed scanner which didn't give you a
| trustworthy indication whether CodeRedII was actually present.  It would
| recognize the cmd.exe backdoor and whine about CR2 being present,
| which wasn't
| neccessarily true at all (various other exploits created the same
| backdoors).
|
| Given the difficulty in detecting an infection with high confidence, more
| accurate reporting would go a long ways to improving the
| credibility of these
| scan tools.
|
| Andrew Calo wrote:
| >
| > This scanner reports many boxes that aren't infected as
| infected. Terribly
| > deceiving.
| >
| > At 05:31 PM 9/20/2001 -0700, info wrote:
| > >A new version of Nimda Scanner has just been posted to the
| eEye web site
| > >that will also detect open shares on systems which is a common
| trait of an
| > >infection.
| > >
| > >http://www.eeye.com/html/Research/Tools/nimda.html
| > >
| > >Signed,
| > >eEye Digital Security
| > >T.949.349.9062
| > >F.949.349.9538
|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New Version of Retina Nimba Scanner info (Sep 21)
- <Possible follow-ups>
- RE:New Version of Retina Nimba Scanner John Stauffacher (Sep 21)
- RE: New Version of Retina Nimba Scanner bparis (Sep 21)
- RE: New Version of Retina Nimba Scanner Marc Maiffret (Sep 25)