Nmap Development mailing list archives
Re: False positives on antivirus
From: David Fifield <david () bamsoftware com>
Date: Fri, 12 Feb 2010 13:47:45 -0700
On Tue, Feb 02, 2010 at 05:02:19PM -0800, Fyodor wrote:
On Thu, Jan 28, 2010 at 09:57:15AM -0600, Ron wrote:2. Encrypt the file properly --> No reason that it wouldn't work (though I've said that before and was very wrong ;) ) --> Dependency on OpenSSL (dependency already exists) --> Will take me awhile to implement (I'm going to be rather busy for the next month or so) 3. Include the file separately --> The most obvious solution --> Adds some burden to the user, but it would be minimal --> Could run into versioning pains (though I can't see it being updated too much) Right now, I propose we go with #3, at least for the short term. I've attached a patch that'll do exactly that (with the URL blocked out with TODO for now). It'd probably be a good idea to tweak the output a bit, but this is what it does right now:That sounds good. David is going to apply this, maybe with a few changes. For example, we probably want to show the messagqe in "verbose" mode rather than just debugging, so users w/o -d still know why the script doesn't work. If this was a permanant solution, we'd probably fix it so that the message is only printed the first time smb-psexec produces output. That might actually be a neat library function to have. It would presumably check if a registry field exists which says a note has already been printed, then if not it would take a mutex, check the field again to avoid a race condition, then set the field and add the note to the output. But I agree with Ron that in this case, the encrypt-the-file-and-remove-the-exe extension is probably a better approach. So we'll probably just leave the note in for verbose mode for now. And hopefully Ron will get a chance to resolve this before the next release.
I committed Ron's patch. The location to download nmap_service.exe is http://nmap.org/psexec/nmap_service.exe. I made one other change. The script first checks if it's dealing with the XOR-encoded version of the file, and decodes it if so. The reason for this is that there will be people (me included) who have the XOR-encoded version left on their hard drive from the 5.21 release. There will be others who download the unmodified version from nmap.org. It certainly wouldn't work to upload the XOR-encoded version unmodified, so we have to check for it, and rather than throw and error, I figure we can just let the script keep using it. Ron, I need your advice about something. What is the best way to make the message be printed in verbose mode (not require debugging)? The debugging() < 1 check is hard-coded in stdnse.format_output, and I can't find a good way to return an error message from get_config such that it can be handled specially. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Fyodor (Jan 28)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus DePriest, Jason R. (Jan 29)
- Re: False positives on antivirus Brandon Enright (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus David Fifield (Feb 12)
- Re: False positives on antivirus Ron (Feb 12)
- Re: False positives on antivirus David Fifield (Mar 03)