Re: Conflicker/NMAP

[David Boyer <David () BVU EDU>]

We've had zero positives with NMAP so far. However, all of our clients
are part of our WSUS distribution and would been patched on October.
Also, we run Windows Firewall which would have blocked the infection
even on unpatched systems. Most of the antivirus vendors and perimeter
security devices seem to have released signatures to block the infection
several months ago. MRT added definitions for Conficker in January,
which we also push out with WSUS.

In other words, in places where the systems have been kept reasonably
up to date and where the proper ports haven't been wide-open at the
perimeter, it seems typical that you won't see a lot of infections, or
perhaps any.

If you have centralized antivirus with decent reporting, you ought to
be able to correlate your NMAP findings with discoveries of Conficker.
Our AV software also lets us know which clients are receiving updates,
etc., so we can also confirm that our AV software is working properly.

> > > "Consolvo, Corbett D" <cc72 () TXSTATE EDU> 9:21 AM 3/31/2009 >>>

I realize many folks may not want to answer this, but has anyone had
many positives/infections with the released nmap scan for Conflicker?
So far we seem to be coming up clean and many other folks I’ve talked to
or emailed with have come up clean as well.  I’m just concerned about
the possibility of false negatives.  Of course, the problem may not be
particularly wide-spread except in the eyes of some media outlets.

Thanks,
Corbett Consolvo
Texas State University