I ran Internet Scanner this a.m. with a policy that contained only a check for MssqlMs02039Patch. I ran it on a test domain that has two boxes running SQL Server 2000 Sp2 unpatched. I am both a Domain Admin and local machine Admin on each box on this domain. I received a false negative from IS (no vulnerabilities). I ran a scan of the same IP range with Retina's freeware scanner for the SQL Slammer Worm and the two boxes showed up as vulnerable. I am up-to-date with X-Press Updates. Go figure. Perhaps ISS should include a new X-Press Update that checks specifically for open UDP and TCP ports 1433 and 1434.
Ron McNamara <>< [EMAIL PROTECTED] 410-966-4135 -----Original Message----- From: Rouland, Chris (ISSAtlanta) [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 26, 2003 3:53 PM To: Stephen Tihor; ISS XForce Cc: [EMAIL PROTECTED] Subject: RE: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation Stephen, The MssqlMs02039Patch (SecChkId 9666) check for Internet Scanner works by reading the path to where SQLServer is installed and then gets the version resource from ssnetlib.dll. If the version is less than 636, we flag the target as vulnerable. You will need admin rights on the target to detect this. -Chris -----Original Message----- From: Stephen Tihor [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 2:14 PM To: ISS XForce Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] ISS Security Brief: Microsoft SQL Slammer Worm Propagation Interestingly enough if have ISS internet scanner upda toe date with all XPU's and scanned a machine Friday which turned out to be vulnerable today. It was a stable production node so I doubt they enabled anything new. Which suggests the ISS was not on point or was a Denial of Service test since those were not run against the machine being tested. Could someone tell me which was the case? _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
