How do we identify which check for patches versus which check for vulnerabilities? For example, I have an XP-Pro box that is running IIS 5.1 for XP. When scanned, Multiple IIS 5.0 vulnerabilities are flagged. All of these vulnerabilities were fixed in win XP but they are still flagged (yes the scanner identifies this machine as Windows XP). I can only guess that the scanner is mis-reporting that the patches are not installed (which is true, but MS01-044 and MS02-028 are not valid for XP) and therefore are false positives. I would like to eliminate the checks for the patches and only look for the actual vulnerabilities.
So, how do we differentiate between the two? Sean -----Original Message----- From: Evans, Mark (Contractor) [mailto:[EMAIL PROTECTED] Sent: Monday, December 15, 2003 12:02 PM To: 'Washburn, Lisa (ISSAtlanta)'; Evans, Mark (Contractor); [EMAIL PROTECTED] Subject: RE: [ISSForum] Another case of inflating the number of vulnerabilities found.. I understand the code is different, but the result should be the same. One is either vulnernable or not. We check for vulnerablities to assess risk. If I can apply a patch and still be vulnerable, either through negligence (not rebooting)or errors in the patch itself, then just check for the exploit to begin with. Unless it is a DoS, the latter seems the more accurate anyway. Or at least have the results of each check report to one table entry. That way I can assess whether to apply the patch, remove the serice/program or operate with the risk. Thanks for the discussion! ** The opinions expressed here are my own and are not a reflection of my company or the goverment. ** Mark P. Evans Northrop Grumman IT DISA Field Security Operation (OP74) Bldg 1C - LEAD 1 Overcash Ave Chambersburg, PA 17201 -----Original Message----- From: Washburn, Lisa (ISSAtlanta) [mailto:[EMAIL PROTECTED] Sent: Thursday, December 11, 2003 4:03 PM To: Evans, Mark (Contractor); [EMAIL PROTECTED] Subject: RE: [ISSForum] Another case of inflating the number of vulnerabilities found.. The reason ISS keeps these records separate is because the code used to detect each issue is very different. The checks associated with these records don't always produce the same results, thus we need two different records so that we can report on them separately. In your example, the patch check simply checks that the patch is installed, the other check detects if you are actually vulnerable to the specific buffer overflow. Sometimes a workaround may be just as valid a solution to a security issue as applying the patch. If that workaround was applied ,the patch check would flag the system as vulnerable, but the vulnerability check would not. Additionally, there are times when patches cover more than one unique security issue, and we may be able to determine multiple ways to detect the related vulnerabilities in addition to a patch check. -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Evans, Mark (Contractor) Sent: Monday, December 08, 2003 3:54 PM To: [EMAIL PROTECTED] Subject: [ISSForum] Another case of inflating the number of vulnerabilities found.. by Internet Scanner. Check 13480 WinMS03046 patch not installed is the same as ExchangeSMTPVerb Buffer Overflow (check 13432). They both check the same thing. Why can't they just release one check. Would it be so they can say "oh, we can have two checks more instead of one". Lets work smarter, not harder. More isn't always better. Mark P. Evans Northrop Grumman IT DISA Field Security Operation (OP74) Bldg 1C - LEAD 1 Overcash Ave Chambersburg, PA 17201 ** The opinions expressed here are my own and are not a reflection of my company or the goverment. ** _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
