RE: Vulnerability Scanning

["Rob Shein" <shoten () starpower net>]

One thing I'm running into where I am right now is a situation where patches
have been applied in a non-chronological order.  As a result, in some cases
the older patch has replaced files from a newer patch, and so the system is
vulnerable despite appearing to be current on patches.  We're now going
around and re-patching, using all necessary patches in the correct order,
but ultimately the situation explained why we were showing vulns on systems
that were 'patched'.

> -----Original Message-----
> From: wirepair [mailto:wirepair () roguemail net] 
> Sent: Friday, February 27, 2004 2:39 PM
> To: pen-test () securityfocus com
> Subject: Vulnerability Scanning
>
>
> lo all,
> After reviewing some scan results and finding a number of 
> false positives from nessus (primarly in XP hosts), I began 
> to become a 
> bit more concerned than I already was.
> This is in no way reflecting upon nessus's ability to find 
> vulnerabilities and I truely believe all scanners have these 
> issues. The question is, what does everyone else do about 
> this? Obviously scanners are never going to be 100% accurate. 
> So I started to think of ways of checking if these 
> vulnerabilities exist or not. First using a known exploit 
> obviously gives a more accurate analysis, but known exploits 
> aren't always available. Yes I can write my own for said 
> vulnerability but sometimes this isn't 
> exactly
> possible, for instance some vulnerabilities require a user to 
> say click on a malicious link, which isn't always feasible 
> when testing 300 workstations. So what else can we do? Check 
> the registry manually, this is an option but very time 
> consuming, does anyone actually do this??? At this point I 
> believe I'm going to have to start trying. Does anyone simply 
> say, some of these are false positives and we can't do 
> anything about it? I highly doubt a client will like to hear 
> that. Also some vulnerabilities are simply too dangerous, 
> windows vulnerabilities in particular that can cause the host 
> to reboot. Not every vulnerability is 
> perfectly
> exploited. So what are the other options people use/feel 
> comfortable with? Thanks for any responses... -wire
>   
> --
> Visit Things From Another World for the best
> comics, movies, toys, collectibles and more. 
> http://www.tfaw.com/?qt=wmf
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
----------------------------------------------------------------------------