All,
This scanner has proven to be very finnicky. It picked up some obvious non
infects as infects, and then it picked up my infected Whistler Box
(purposefully infected) as being "invulnerable". Heh...I think Ill just go
back to LanGaurding my network and picking out wierd looking shares. Time
consuming yes - but its a heck of a lot more reliable. On a side note, it
looks as if Whistler Advanced Server is kinda immune to NIMDA - i
purposefully opened an infected .eml and Media Player gave me a nice error
message "WMP cannot understand the URL"...or something to that matter.
Nice to see.
-John Stauffacher
On Fri, 21 Sep 2001, Parvez Ahmed wrote:
> I see the same thing on when I run the scans "open guest shares". I
> think it picks up if you have share created. We tested with a share,
> with selected users and it still gave back same response. Even though
> the access to the access to the share was restricted.
>
> -----Original Message-----
> From: John Stauffacher [mailto:[EMAIL PROTECTED]]
> Sent: Friday, September 21, 2001 10:13 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE:New Version of Retina Nimba Scanner
>
>
> All,
>
> I just ran this scanner and am picking up more false positives than real
> infections. Not only did it pick up all my Macs (they arent even running
> Dave or have any SMB shares), it picked up my indigo and my Snap Server
> (tell me how a snap server gets infected by this?). I realize that
> diagnosing these things is a shot in the dark - but, telling me "open
> guest share" when the machine is not sharing anything (or even listening
> on 139) is kinda a mis-nomer an a cause for panic (130 "infected" out of
> 253 possible)...anyone else seen this kind of false positive from the
> scanner?
>
> -John Stauffacher
>
> +-------------------------+
> ! John Stauffacher !
> ! Network Administrator !
> ! Chapman University !
> ! [EMAIL PROTECTED] !
> +-------------------------+
>
> >
> Date: Thu, 20 Sep 2001 17:31:06 -0700
> From: info <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: New Version of Retina Nimba Scanner
>
> A new version of Nimda Scanner has just been posted to the eEye web site
> that will also detect open shares on systems which is a common trait of
> an infection.
>
> http://www.eeye.com/html/Research/Tools/nimda.html
>
> Signed,
> eEye Digital Security
> T.949.349.9062
> F.949.349.9538
>
>
>
> ------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus ARIS analyzer service. For
> more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
>
>
> ------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus ARIS analyzer service. For
> more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
+-------------------------+
! John Stauffacher !
! Network Administrator !
! Chapman University !
! [EMAIL PROTECTED] !
+-------------------------+
<< All opinions expressed are mine, not the University's >>
