Re: False positives on antivirus

[David Fifield <david () bamsoftware com>]

On Tue, Feb 02, 2010 at 05:02:19PM -0800, Fyodor wrote:
> On Thu, Jan 28, 2010 at 09:57:15AM -0600, Ron wrote:
> > 2. Encrypt the file properly
> > --> No reason that it wouldn't work (though I've said that before and was very wrong ;) )
> > --> Dependency on OpenSSL (dependency already exists)
> > --> Will take me awhile to implement (I'm going to be rather busy for the next month or so)
> >
> > 3. Include the file separately
> > --> The most obvious solution
> > --> Adds some burden to the user, but it would be minimal
> > --> Could run into versioning pains (though I can't see it being updated too much)
> >
> > Right now, I propose we go with #3, at least for the short
> > term. I've attached a patch that'll do exactly that (with the URL
> > blocked out with TODO for now). It'd probably be a good idea to tweak
> > the output a bit, but this is what it does right now:
>
> That sounds good.  David is going to apply this, maybe with a few
> changes.  For example, we probably want to show the messagqe in
> "verbose" mode rather than just debugging, so users w/o -d still know
> why the script doesn't work.  If this was a permanant solution, we'd
> probably fix it so that the message is only printed the first time
> smb-psexec produces output.  That might actually be a neat library
> function to have.  It would presumably check if a registry field
> exists which says a note has already been printed, then if not it
> would take a mutex, check the field again to avoid a race condition,
> then set the field and add the note to the output.
>
> But I agree with Ron that in this case, the
> encrypt-the-file-and-remove-the-exe extension is probably a better
> approach.  So we'll probably just leave the note in for verbose mode
> for now.  And hopefully Ron will get a chance to resolve this before
> the next release.

I committed Ron's patch. The location to download nmap_service.exe is
http://nmap.org/psexec/nmap_service.exe.

I made one other change. The script first checks if it's dealing with
the XOR-encoded version of the file, and decodes it if so. The reason
for this is that there will be people (me included) who have the
XOR-encoded version left on their hard drive from the 5.21 release.
There will be others who download the unmodified version from nmap.org.
It certainly wouldn't work to upload the XOR-encoded version unmodified,
so we have to check for it, and rather than throw and error, I figure we
can just let the script keep using it.

Ron, I need your advice about something. What is the best way to make
the message be printed in verbose mode (not require debugging)? The
debugging() < 1 check is hard-coded in stdnse.format_output, and I can't
find a good way to return an error message from get_config such that it
can be handled specially.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/