RE: RPC Scan Issues

From: Anderson, Kelly (kjanders_at_umich.edu)
Date: 10/15/03

  • Next message: Morton B. Maser: "Re: RPC Scan Issues" 
    Date: Wed, 15 Oct 2003 10:02:11 -0400
To: <focus-ms@securityfocus.com>

    To throw my 2-cents into the ring...I've personally found that the
    Retina scanner throws false positives also. However, I have yet to have
    the most current MS scanner give me an error. Thus far, the MS scanner
    has been the most reliable for me. But, you must be vigilant to have
    the most current scanner and signatures so that you can eliminate
    potential errors.

    So, that said, based on Jerry's response, I would venture to say that
    none of the scanners are 100% and for the more serious patches (e.g.,
    MS03-039) you need to double check the file names, sizes, dates, reg
    entries, etc.

    - Kelly
      
    ********************************************
    Kelly J. Anderson, MCSE
    Windows 2000 Infrastructure
    University of Michigan
    http://www.umich.edu/~lannos/win2000
    ********************************************
     

      
    -----Original Message-----
    From: Jerry Heidtke [mailto:jheidtke@fmlh.edu]
    Sent: Tuesday, October 14, 2003 3:09 PM
    To: Thaddeus McNamara; focus-ms@securityfocus.com
    Subject: RE: RPC Scan Issues

    The MS scanner is so inaccurate as to be useless. In my experience, the
    Retina scanner is 100% accurate.

    You may find systems that had the patch installed through windowsupdate,
    but show up in a scan as still vulnerable. Every case I've seen of this,
    the patch was not installed completely and needs to be reinstalled. The
    registry will indicate that the patch is installed (this is all that WU
    checks), the uninstall directory exists with the correct old files in
    it, but the files in use never got replaced with the new ones.

    You cannot turn off RPC and expect a Windows system to work. Despite
    being called "Remote Procedure Call", many local functions depend on RPC
    to work (minor things like event logging, registry access, file property
    reading, and authentication).

    You may be able to turn off DCOM, which is a specialized service that
    operates over RPC, and where the particular vulnerabilities exist. You
    can't do this on a domain controller or Exchange server, probably can't
    do it on a SQL Server box, and there are likely other specialized
    services that require DCOM. You can try this with the standard
    "dcomcnfg.exe", or by using third-party utilities such as the one at
    www.grc.com, or by making a single registry change. Be aware that if it
    doesn't work, you probably need to physically touch the box to get it
    working again.

    The firewall will not be enough, unless you have absolute control over
    every device that might ever be connected to the network behind the
    firewall. We've had seven cases where people brought in laptops that
    were infected with Nachia/Welchia, which proceeded to try to scan our
    entire class B address range looking for vulnerable systems to infect,
    which it can do in less than 10 minutes if we don't null route it and
    disable the network port first. In spite of having good immediate
    automatic detection and alerting based on Nachia-generated traffic, our
    response still happens in human-scale time frames, which leaves plenty
    of opportunity for mischief. There's no reason to believe the next worm
    will be less aggressive or less efficient...

    You best defense is to patch.

    -----Original Message-----
    From: Thaddeus McNamara [mailto:tk@coast-radio.com]
    Sent: Tuesday, October 14, 2003 11:58 AM
    To: 'focus-ms@securityfocus.com'
    Subject: RPC Scan Issues

    After reading there's yet another RPC exploit code in the wild, I double
    checked my LANs with both the MS DCOM scanner (KB824146Scan) and the
    Retina
    RPC DCOM scanner and got very different results. A few of the machines
    I
    know are NOT patched and others are Fully patched.

    1. Is it possible they aren't patched properly?
    2. Should I be getting such different results?
    3. Should I or can I turn off RPC?
    4. Will the firewall be enough?

    Thadd McNamara
    IT Director
    Coast Radio Co., Inc.

    ------------------------------------------------------------------------ 

    ---
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Need to share problem information with colleagues
that 
do not read packets?
Download ClearSight Networks Analyzer and see a new network analysis
tool 
that makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
------------------------------------------------------------------------
---
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
------------------------------------------------------------------------
---
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Need to share problem information with colleagues
that 
do not read packets?
Download ClearSight Networks Analyzer and see a new network analysis
tool 
that makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Need to share problem information with colleagues that 
do not read packets?
Download ClearSight Networks Analyzer and see a new network analysis tool 
that makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
---------------------------------------------------------------------------
  • Next message: Morton B. Maser: "Re: RPC Scan Issues"

    Relevant Pages

    • RE: RPC Scan Issues
      ... The MS scanner is so inaccurate as to be useless. ... You may find systems that had the patch installed through windowsupdate, ... You cannot turn off RPC and expect a Windows system to work. ... network analyzers. ...
      (Focus-Microsoft)
    • RE: RPC Scan Issues
      ... I had forgotten about the Foundstone scanner. ... I can't answer the "turn off RPC" question. ... network analyzers. ... Download ClearSight Networks Analyzer and see a new network analysis tool ...
      (Focus-Microsoft)
    • RE: RPC Scan Issues
      ... > that the Retina scanner throws false positives also. ... > You cannot turn off RPC and expect a Windows system to work. ... > null route it and disable the network port first. ... > network analyzers. ...
      (Focus-Microsoft)
    • RE: RPC Scan Issues
      ... Microsoft just released the patches needed. ... > that the Retina scanner throws false positives also. ... > null route it and disable the network port first. ... > network analyzers. ...
      (Focus-Microsoft)
    • Re: RPC Scan Issues
      ... but the 10/15/03 patches don't look like ... they address any race condition issue in the RPC service. ... >>that the Retina scanner throws false positives also. ... >>null route it and disable the network port first. ...
      (Focus-Microsoft)