In this case, it's my understanding that a single word can be issued to the open port (6777) to "disable" the listener included with the worm. However, a reg key also needs to be removed. It seems to me that if nessus sees port 6777 open, connects and issues the magic word, and then the port becomes unavailable, then there's a very high degree of reliability in reporting a host as infected. This strikes me as very valuable and definitely *does not* qualify as full remediation of the threat (meaning that the infected host will still need to be cleaned).
In short, as long as the report correctly reports the threat as fully verified and partially mitigated, but not as fully remediated, then what's the problem? > Well stated. As a risk identification service, I do not rely upon the > identifier as the mitigator. > > Jeff Miller > Security Specialist > Concur Hosted Operations: InfoSec > > > > -----Original Message----- > From: Thomas Reinke [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 2:03 PM > To: [EMAIL PROTECTED] > Subject: Bagle remover...dangerous precedent? > > The recent bagle_remover.nasl script sets a somewhat dangerous > precedent, IMHO, of crossing the line from vulnerability detection > to remediation. Not to mention that you are trusting the bagle > remover script to do its own removal cleanly. There are a number > of reasons why this is bad, not the least of which is that I > personally would not trust a virus to remove itself cleanly to > begin with. It is by definition, after all, untrusted code. > > I would suggest that this script be modified (if possible) into > a detection only script and leave the corrective action out as > a separate activity. > > Thomas > > _______________________________________________ > Nessus mailing list > [EMAIL PROTECTED] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ > Nessus mailing list > [EMAIL PROTECTED] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
