Thanks Christian, you are correct, I was looking at two separate reports by mistake. I have noticed that this issue seems to "flap" sometimes - one scan will report the issue, then a subsequent scan it won't. When looking into the differences in the Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937) between the two runs, I notice that when it incorrectly identifies the host as windows 8 this is the result:
> Best matching OS: > > OS: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft > Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 > Update 1 > CPE: cpe:/o:microsoft:windows_8 > Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification (NASL > wrapper)) > Concluded from Nmap TCP/IP fingerprinting: > OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, > Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows > 8.1 Update 1 > OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows > cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 > cpe:/o:microsoft:windows_8 > Setting key "Host/runs_windows" based on this information > > Other OS detections (in order of reliability): > > OS: Microsoft Windows > CPE: cpe:/o:microsoft:windows > Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting) > Concluded from ICMP based OS fingerprint: > (95% confidence) > > Microsoft Windows IE, it appears to not have used the NVT 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan) to determine the OS. When SMB is used, it correctly identifies the host as windows 7. Looking into SMB NVT in the same runs, I see that in the false positive case the NVT 1.3.6.1.4.1.25623.1.0.90011 (SMB Test with 'smbclient') is getting errors: > OS Version = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM > Domain = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM > SMB Serverversion = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM But in the proper identification case: > OS Version = WINDOWS 7 PROFESSIONAL 7601 SERVICE PACK 1 > Domain = <expected domain> > SMB Serverversion = WINDOWS 7 PROFESSIONAL 6.1 So it looks like the root cause is SMB being intermittent on windows 7 when OpenVAS is accessing it. -----Original Message----- From: Christian Fischer [mailto:[email protected]] Sent: Wednesday, July 19, 2017 11:07 AM To: Matt Koivisto <[email protected]> Cc: openvas-discuss <[email protected]> Subject: Re: [Openvas-discuss] Windows 8 EOL false positive Hey, On 18.07.2017 22:18, Matt Koivisto wrote: > Thanks Christian, > > Here's the output of that nvt. It seems to report the expected value for best > matching OS: thanks for passing this info. Unfortunately its technically not possible that: OS End of Life Detection (http://plugins.openvas.org/nasl.php?oid=103674) is reporting Windows 8 as EOL with an output of Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937) you have passed to me below. All detected and registered OS types which are evaluated by the "OS End of Life Detection" are showing up there. Could you make sure that this is an output of a report / host you have seen this issue? Regards, Christian >> Best matching OS: >> >> OS: Windows 7 Enterprise 7601 Service Pack 1 >> CPE: cpe:/o:microsoft:windows_7:-:sp1 Found by NVT: >> 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan) Concluded from >> SMB/Samba banner on port 445/tcp: OS String: Windows 7 Enterprise >> 7601 Service Pack 1; SMB String: Windows 7 Enterprise 6.1 Setting key >> Host/runs_windows based on this information >> >> Other OS detections (in order of reliability): >> >> OS: Microsoft Windows Server 2008 SP2 >> CPE: cpe:/o:microsoft:windows_server_2008::sp2 >> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification >> (NASL wrapper)) Concluded from Nmap TCP/IP fingerprinting: >> OS details: Microsoft Windows Server 2008 SP2 OS CPE: >> cpe:/o:microsoft:windows_server_2008::sp2 >> >> OS: Microsoft Windows >> CPE: cpe:/o:microsoft:windows >> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS >> Fingerprinting) Concluded from ICMP based OS fingerprint: >> (95% confidence) >> >> Microsoft Windows Regards, > > -----Original Message----- > From: Openvas-discuss > [mailto:[email protected]] On Behalf Of > Christian Fischer > Sent: Tuesday, July 18, 2017 4:04 PM > To: [email protected] > Subject: Re: [Openvas-discuss] Windows 8 EOL false positive > > Hi, > > On 18.07.2017 21:16, Matt Koivisto wrote: >> Hi, >> >> I am running openvas-9 on centos 7, all the feeds up to date. I have >> seen some windows 7 hosts with SP1 installed and fully patched that >> are being detected as windows 8 machines and thus get flagged as "OS >> End of Life Detection" (http://plugins.openvas.org/nasl.php?oid=103674). >> >> Specifically, for verified windows 7 machines I get the false positive: >> >>> The "Windows 8" Operating System on the remote host has reached the >> end of life. >> >>> CPE: cpe:/o:microsoft:windows_8 >> >>> Installed version: >> >>> EOL date: 2016-01-12 >> >>> EOL info: >> https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Wi >> n >> dows%208&Filter=FilterNO >> >> Is anyone else seeing this on their network as well? Any suggestions? >> >> I tried to trace through a bit to verify what's coming back from the >> remote registry using openvas-nasl directly, but without any success. > > thanks for your report. Could you post the output of the following NVT: > > OS Detection Consolidation and Reporting (OID: > 1.3.6.1.4.1.25623.1.0.105937) > > This might give more info where the Windows 8 detection is coming from. > > Regards, > > -- > > Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks > GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG > Osnabrück, HR B 202460 > Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner > > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-dis > cuss This e-mail may contain information that is privileged or > confidential. If you are not the intended recipient, please delete the e-mail > and any attachments and notify us immediately. > -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
