[Openvas-plugins] False Positives Question

Wed, 01 Dec 2010 06:42:24 -0800 

Hello Everyone,

Quick question re: false positives / erratic scan results...

As an example.

Most of my VM's are 2003 Std based cloned from a template.  I have scanned
my server IP ranges many times, and been trying to resolve some
inconsistencies with the results...

e.g. Some of my identical servers pass the secpod_MS10_022.nasl test,
others do not despite the fact they are identically patched, first by WSUS,
then extensively and painstakingly by hand to try to eliminate persistent
vulns detected.

The requisite patch the nvt (OID: 1.3.6.1.4.1.25623.1.0.801358) tests for
on a SRV2003 w/ IE8 machine is KB981332.

Looking on that server I have confirmed this patch is in place, and
cross-referenced with the OpenVAS saved scan KBs for that server.

1290004419 3 SMB/Registry/HKLM/SOFTWARE/Microsoft/Updates/Windows Server
2003/SP3/KB981322=1

Opening the .nasl file for that check...  I see...

# Windows 2003
else if(hotfix_check_sp(win2003:3) > 0)
{
  SP = get_kb_item("SMB/Win2003/ServicePack");
  if("Service Pack 2" >< SP)
  {
    # Grep for Vbscript.dll < 5.6.0.8838, 5.7.6002.22354, 5.8.6001.23000
    if(version_is_less(version:sysVer, test_version:"5.6.0.8838") ||
       version_in_range(version:sysVer, test_version:"5.7",
test_version2:"5.7.6002.22353") ||
       version_in_range(version:sysVer, test_version:"5.8",
test_version2:"5.8.6001.22999")){
     security_hole(0);
    }
    exit(0);
  }
  security_hole(0);
}

Checking the file properties of vbscript.dll on the server in question
shows the file version is...

5.8.6001.23000

Checking another server which passed the tests shows that it has the exact
same dll versioning for vbscript.dll

Is it because the nasl checks for precisely 5.8.6001.29999 but it is /=
5.8.6001.23000 present on the machines??

Regards,

Matt


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins

Reply via email to