RE: RE: Probable new MS DCOM RPC worm for Windo ws

["Ferris, Robin" <R.Ferris () napier ac uk>]

I have not yet verified if the files were installed or not and thats a very
good point. I didnt and still dont know what files it changed or installed
for the ms03-026. What are they?

However the eeye scanner has always proved to be correct thus far, in all
the cases that I have tried it on. As we use a standard image here it would
be odd that the patch is "ineffective" in that configuration (PATH?) I think
it is because the patch as has been noted is not always effective. 

RF

-----Original Message-----
From: Gary Flynn [mailto:flynngn () jmu edu]
Sent: 26 September 2003 14:06
To: 'full-disclosure () lists netsys com'
Subject: Re: [Full-disclosure] RE: Probable new MS DCOM RPC worm for
Windo ws


I would think a better way of determining if a patch is actually
installed on a system is by examining the files on the system rather
than to depend upon symptoms (scanners) or installation logs (registry
entries).

If the add/remove software control panel, registry, or
msi say the machine is patched but the files aren't
there, an installation problem occurred.

If the scanners say the machine is not patched but the
files are there then either the patch is ineffective in
that machine's particular configuration (PATH?) or the
scanner is generating a false positive.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html