RE: RPC Scan Issues

From: Cosentino, Guilherme V. (Guilherme.Cosentino_at_alcoa.com.br)
Date: 10/14/03

  • Next message: Marc Fossi: "Article Announcement: CCIA Report is Bad Medicine"
    To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
    Date: Tue, 14 Oct 2003 17:07:13 -0300
    
    

    What I've seen about MS scanner is that it reports as unpatched every
    machine that had installed the patch, but was not restarted. At this moment
    (before the restart), if you look to those boxes, you'll see the registry
    key, the uninstall directory, but not the correct versions of files. If all
    your computers was rebooted after the patch aplication, you shouldn't
    receive false positives.
    Retina seems not look to those files and their creation dates, telling that
    non-rebooted machines are patched.

    -----Original Message-----
    From: Thaddeus McNamara [mailto:tk@coast-radio.com]
    Sent: Tuesday, 14 de October de 2003 4:26 PM
    To: 'larobins@bellatlantic.net'; 'focus-ms@securityfocus.com'
    Subject: RE: RPC Scan Issues

    First, let me say thank you for the quick response, Laura. Secondly, my
    S.O.P. on firewall security is EVERYTHING is blocked unless I MUST have it
    open...25, 80, and Citrix (1494). I even have a few blocked going out for
    SoBig and Port 5000.

    I see from your earlier responses to Win2k Hardening that we all need to do
    the basics and wait for a new patch. I guess my next concern is, should we
    take the time to follow the "workarounds" listed in MS03-039? -->
    (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
    /bulletin/ms03-039.asp). Then follow up with patch verification on every
    machine? (I guess we should be doing that at the time we install the patch,
    huh?) Or should we just rely on our firewalls and the knowledge we have
    already patched (almost) everything?

    Looking to spend my time wisely...
    Thadd

    -----Original Message-----
    From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    Sent: Tuesday, October 14, 2003 10:48 AM
    To: 'Thaddeus McNamara'; focus-ms@securityfocus.com
    Subject: RE: RPC Scan Issues

    > After reading there's yet another RPC exploit code in the
    > wild, I double checked my LANs with both the MS DCOM scanner
    > (KB824146Scan) and the Retina RPC DCOM scanner and got very
    > different results. A few of the machines I know are NOT
    > patched and others are Fully patched.
    >
    > 1. Is it possible they aren't patched properly?

    Yes. It's also possible that you are getting false positives.

    > 2. Should I be getting such different results?

    Ideally, no. Realistically, it happens.

    > 3. Should I or can I turn off RPC?

    No.

    > 4. Will the firewall be enough?

    No, but that doesn't mean you shouldn't configure it to block incoming
    traffic on appropriate ports.

    Laura

    ---------------------------------------------------------------------------
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Need to share problem information with colleagues that
    do not read packets?

    Download ClearSight Networks Analyzer and see a new network analysis tool
    that makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Need to share problem information with colleagues that
    do not read packets?

    Download ClearSight Networks Analyzer and see a new network analysis tool
    that makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
    ---------------------------------------------------------------------------


  • Next message: Marc Fossi: "Article Announcement: CCIA Report is Bad Medicine"

    Relevant Pages

    • RE: RPC Scan Issues
      ... The MS scanner is so inaccurate as to be useless. ... You may find systems that had the patch installed through windowsupdate, ... You cannot turn off RPC and expect a Windows system to work. ... network analyzers. ...
      (Focus-Microsoft)
    • RE: MSBLASTER Infecting despite 03-026 patch?
      ... I have been using the Retina DCOM scanner and it is ... but I found a workstation that had the ... > IIS vulnerabilities ... > scanning for the patch ...
      (Incidents)
    • Re: MS08-067 locked up my servers
      ... When I uninstalled this> patch, ... My DCs are Windows Server 2003 R2 ... you probably followed the instructions and rebooted the server after installing the patch. ... I've seen a number of sites suggest you install the patch without restarting, and simply stop and restart the Server service. ...
      (microsoft.public.windows.server.security)
    • Re: MS08-067 locked up my servers
      ... When I uninstalled this patch, ... My DCs are Windows Server 2003 R2 ... The errors indicated that RPC failed> to allow ... I've seen a number of sites suggest you install the patch without restarting, and simply stop and restart the Server service. ...
      (microsoft.public.windows.server.security)
    • Trojan.Win32.KillFiles.nu
      ... I downloaded a patch from HP for a fix for HP ... Kaspersky online scanner. ... When I went to install the patch Active Virus Shield popped an alert ...
      (alt.comp.anti-virus)