RE: RE: Probable new MS DCOM RPC worm for Windo ws

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Jerry Heidtke [mailto:jheidtke () fmlh edu] 
> Sent: Friday, September 26, 2003 10:33 AM
> To: Schmehl, Paul L; full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] RE: Probable new MS DCOM RPC 
> worm for Windo ws
>
> No one is going to manually touch 2000+ machines (unless 
> you're a consultant and you get paid by the hour). That's why 
> there're tools to check whether the file properties are 
> correct for a particular hot fix.
>
> For example, Microsoft Baseline Security Analyzer (free),

Sorry, don't trust it and don't like it.

> GFI Languard Network Security Scanner (inexpensive),

Using it.

> Shavlik HFNetcheckPro (expensive),

Not using it.

> and Microsoft SMS (with SU feature pack) (very expensive)

Using both it and SUS.

> will all do file version and/or 
> checksum calculations to verify that a particular file is 
> what should be there to consider a patch to be installed. 
> Some of these will even automatically deploy the patches to 
> machines that are missing them.

All of which I am already aware of, and much of which we are already
using.  If you read my post about this, then you already know that I'm
using ISS, Retina and Languard as well as the MS KB824146 scanner to
check for patch compliance.

So I'm not quite sure what you point is.

Gary suggested checking file properties and I *assumed* he meant for
every machine.  He has now clarified that he meant machines that are
questionable.

Now, as to whether or not I'm negligent as a
professional...well...opinions are like other things that humans have -
each one is unique.  :-)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html