Hello Everyone... I was just curious... In all the cases I have encountered with false positives, I have noticed that in the plugin code there are checks in place to say if a machine has for instance a certain file/library version or earlier version then it is considered vulnerable. Sometimes there are QFE or specific hotfixes that actually exist which drop a later non vulnerable file/library onto the target system. These systems still fail on account of the file version being out of band with the specific check in the associated NVT..
Is there no way to write the test so that it looks for a minimum or higher file/library version for any particular check??? Maybe I am missing the main argument / core logic for doing it the way it is... I assume it is coded as they are to ensure Q&A and accuracy. Though I would love to hear why a... if "x" is == or > than "y" then result = 0 (not vulnerable) for that particular NVT check anyways...??? Looking forward to some enlightenment... I suppose it might be easy to drop arbitrary fake higher version numbered files which would fool this, but maybe in conjunction with a hash or signature / signing verification....?? I know that might get hairy for 3rd party software because of the vastness of scope, but for Microsoft stuff?? That seems to be public enemy #1 in terms of the False Positives I experience anyway.... Cheers, Matt ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
