My take on this is, your check is assessing whether or not an SMTP server will accept incoming email with a potential virus, and not necessarily checking to see if the server itself is vulnerable. In that case, your assessing whether or not a particular control is enabled on your SMTP server, and not whether or not it is vulnerable itself. From that point of view, I don't think it makes sense that Nessus would check for it, however this really depends on the scope of your assessment and the design of your mail system. If the scope of the assessment includes the end-user workstations, it may make sense to find out if your SMTP server may potentially pass a virus-infected email into the mail system where an end user would receive it with their mail client, however it may also be part of your mail system design that the SMTP servers themselves do not check for viruses, but your Exchange server that receives mail from the SMTP servers does. In this case it would not make sense to perform this check, because the SMTP server accepting the email would be expected behavior and would then show a false-positive if the check is performed. Without knowing the mail system architecture of the network being tested and what is expected behavior, or the scope of your assessment, you really can't make the determination of whether or not this is a useful check to perform. I think the check should be available, however maybe not enabled by default.
--- Dustin D. Trammell Information Security Specialist Penson Financial Services, Inc. -----Original Message----- From: Renaud Deraison [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 15:16 To: Nessus@List. Nessus. Org Subject: Re: EICAR Test String virsus was found...Nessus cause? On Fri, Aug 30, 2002 at 01:15:37PM -0700, Tony Torri wrote: > Hi, > > Our NAV scanning software recently found the Virus "EICAR Test String was > found". This was found on a server that I recently ran a Nessus scan > against. There is some concern among our admins that the virus was > "planted" on the server during a Nessus scan. Is that possible?... No it's not. However Nessus sends an email containing this string (which is *not* a virus, it just triggers anti-virii) to the remote host. If the remote MTA starts to keep a local copy of all the mails it receives, then it might appear as being "planted". I'm interested by everyone's feedback about this though - I'm not really sure testing an SMTP server for an anti-virus should be a Nessus test, what's you take on this check ? -- Renaud - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body. - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
