i have seen false positives with NetApps running the smbd service, but have not run into any other instances of false positives on 45K+ hosts..
~cam. Cam Beasley Information Security Office The University of Texas at Austin [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Kyle Sayre > Sent: Friday, April 30, 2004 18:46 > To: Shane Williams > Cc: [EMAIL PROTECTED] > Subject: Re: ms04-011 > > > I'm sorry, I meant to say smb_kb835732.nasl, but is has been a long > day. We have seen fully patched machines show up as vulnerable. They > have been rebooted, in some cases special netapps that aren't running > windows, and in some cases windows 2003 server that are fully > patched. > On a standard scan we are seeing ~double the amount of ips showing up > as vulnerable on nessus as we are on the foundstone scanner. This is > one of the reasons that I am wondering if they are both > testing for the > CAN-2003-0533 vulnerability. We spot checked a couple systems that > nessus said were vulnerable, and foundstone said were not vulnerable, > and they were not vulnerable. > > I would appreciate any help, > David Sayre > Los Alamos National Labs > > On Apr 30, 2004, at 5:15 PM, Shane Williams wrote: > > > I don't see a ms_kb835732.nasl (perhaps you meant > ms_kb835732_ssl.nasl > > (12204)), but we've been using smb_kb835732.nasl (12209) > without any > > false positives. We have seen a few where the update has > been applied > > but the machine hasn't been rebooted, but as I understand > it they're > > still vulnerable so it's not quite a false positive. > > > > On Fri, 30 Apr 2004, David Kyle Sayre wrote: > > > >> Hello All, > >> > >> We would like to use nessus for scanning for the > vulnerability in the > >> CAN-2003-0533. We have tried to use ms_kb835732 which covers the > >> ms04-011 patch, but we are getting a lot of false > positives over the > >> dsscan utility available from foundstone.com. I was wondering if > >> anyone was working on a better test for the CAN-2003-0533 > >> vulnerability? > >> > >> On a separate note, ftp://www.cert.mil is not available, > to I could > >> find (I did look through google) which one of the plethora of > >> vulnerabilities in ms04-011 this was. Could anyone enlighten me? > >> > >> Thanks, > >> David Sayre > >> Los Alamos National Labs > >> > >> _______________________________________________ > >> Nessus mailing list > >> [EMAIL PROTECTED] > http://mail.nessus.org/mailman/listinfo/nessus > >> > > > > -- > > Public key #7BBC68D9 at | Shane Williams > > http://pgp.mit.edu/ | System Admin - UT iSchool > > =----------------------------------+------------------------------- > > All syllogisms contain three lines | [EMAIL PROTECTED] > > Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew > > > > _______________________________________________ > Nessus mailing list > [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
