First, that wasn't your point in your first note. It was that it wasn't infected.
That was why I answered it that way.
Second, disable the guest ID and remove him from ALL groups and my guess is that the
"error" will go away. If it does, it is because you did have a guest share and you
just weren't looking at the right one. This is what happened to me when a consultant
set up a root share with Guest access. I went through and made sure that C$, D$, etc.
were all clear and the scanner kept whining about me being infected. Then I removed
Guest from all group and disabled the ID and the scanner quit squawking. Looking back
at the box I realized that it was a created share and not one of the default ones.
JayW
>>> "Mark Maher" <[EMAIL PROTECTED]> 09/25/01 11:50AM >>>
My Point: there is no open guest share!
>>> "Jay Woody" <[EMAIL PROTECTED]> 09/25/01 11:36AM >>>
But yet, you still have an open guest share on the PDC. This still goes back to my
"surely no admin with a brain would do this" argument.
JayW
>>> "Mark Maher" <[EMAIL PROTECTED]> 09/24/01 08:12AM >>>
I also ran the scanner and received "Open Guest Share - Infected" on our PDC. We
tested and ran virus scanners and the PDC was NOT Infected.
Mark Maher
Ochsner Medical Foundations
>>> "Parvez Ahmed" <[EMAIL PROTECTED]> 09/21/01 09:00PM >>>
I see the same thing on when I run the scans "open guest shares". I
think it picks up if you have share created. We tested with a share,
with selected users and it still gave back same response. Even though
the access to the access to the share was restricted.
-----Original Message-----
From: John Stauffacher [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 21, 2001 10:13 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE:New Version of Retina Nimba Scanner
All,
I just ran this scanner and am picking up more false positives than real
infections. Not only did it pick up all my Macs (they arent even running
Dave or have any SMB shares), it picked up my indigo and my Snap Server
(tell me how a snap server gets infected by this?). I realize that
diagnosing these things is a shot in the dark - but, telling me "open
guest share" when the machine is not sharing anything (or even listening
on 139) is kinda a mis-nomer an a cause for panic (130 "infected" out of
253 possible)...anyone else seen this kind of false positive from the
scanner?
-John Stauffacher
+-------------------------+
! John Stauffacher !
! Network Administrator !
! Chapman University !
! [EMAIL PROTECTED] !
+-------------------------+
>
Date: Thu, 20 Sep 2001 17:31:06 -0700
From: info <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: New Version of Retina Nimba Scanner
A new version of Nimda Scanner has just been posted to the eEye web site
that will also detect open shares on systems which is a common trait of
an infection.
http://www.eeye.com/html/Research/Tools/nimda.html
Signed,
eEye Digital Security
T.949.349.9062
F.949.349.9538
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
