RE: RPC Scan Issues

From: Cosentino, Guilherme V. (Guilherme.Cosentino_at_alcoa.com.br)
Date: 10/14/03

  • Next message: Marc Fossi: "Article Announcement: CCIA Report is Bad Medicine" 
    To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Tue, 14 Oct 2003 17:07:13 -0300

    What I've seen about MS scanner is that it reports as unpatched every
    machine that had installed the patch, but was not restarted. At this moment
    (before the restart), if you look to those boxes, you'll see the registry
    key, the uninstall directory, but not the correct versions of files. If all
    your computers was rebooted after the patch aplication, you shouldn't
    receive false positives.
    Retina seems not look to those files and their creation dates, telling that
    non-rebooted machines are patched.

    -----Original Message-----
    From: Thaddeus McNamara [mailto:tk@coast-radio.com]
    Sent: Tuesday, 14 de October de 2003 4:26 PM
    To: 'larobins@bellatlantic.net'; 'focus-ms@securityfocus.com'
    Subject: RE: RPC Scan Issues

    First, let me say thank you for the quick response, Laura. Secondly, my
    S.O.P. on firewall security is EVERYTHING is blocked unless I MUST have it
    open...25, 80, and Citrix (1494). I even have a few blocked going out for
    SoBig and Port 5000.

    I see from your earlier responses to Win2k Hardening that we all need to do
    the basics and wait for a new patch. I guess my next concern is, should we
    take the time to follow the "workarounds" listed in MS03-039? -->
    (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
    /bulletin/ms03-039.asp). Then follow up with patch verification on every
    machine? (I guess we should be doing that at the time we install the patch,
    huh?) Or should we just rely on our firewalls and the knowledge we have
    already patched (almost) everything?

    Looking to spend my time wisely...
    Thadd

    -----Original Message-----
    From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    Sent: Tuesday, October 14, 2003 10:48 AM
    To: 'Thaddeus McNamara'; focus-ms@securityfocus.com
    Subject: RE: RPC Scan Issues

    > After reading there's yet another RPC exploit code in the
    > wild, I double checked my LANs with both the MS DCOM scanner
    > (KB824146Scan) and the Retina RPC DCOM scanner and got very
    > different results. A few of the machines I know are NOT
    > patched and others are Fully patched.
    >
    > 1. Is it possible they aren't patched properly?

    Yes. It's also possible that you are getting false positives.

    > 2. Should I be getting such different results?

    Ideally, no. Realistically, it happens.

    > 3. Should I or can I turn off RPC?

    No.

    > 4. Will the firewall be enough?

    No, but that doesn't mean you shouldn't configure it to block incoming
    traffic on appropriate ports.

    Laura

    ---------------------------------------------------------------------------
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Need to share problem information with colleagues that
    do not read packets?

    Download ClearSight Networks Analyzer and see a new network analysis tool
    that makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Need to share problem information with colleagues that
    do not read packets?

    Download ClearSight Networks Analyzer and see a new network analysis tool
    that makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
    ---------------------------------------------------------------------------

  • Next message: Marc Fossi: "Article Announcement: CCIA Report is Bad Medicine"

    Relevant Pages

    • RE: RPC Scan Issues
      ... The MS scanner is so inaccurate as to be useless. ... You may find systems that had the patch installed through windowsupdate, ... You cannot turn off RPC and expect a Windows system to work. ... network analyzers. ...
      (Focus-Microsoft)
    • RE: MSBLASTER Infecting despite 03-026 patch?
      ... I have been using the Retina DCOM scanner and it is ... but I found a workstation that had the ... > IIS vulnerabilities ... > scanning for the patch ...
      (Incidents)
    • Re: KB917537 Failing
      ... it's tested..but given that they cannot even with external testers test for ALL third party crap... ... It's pretty pathetic to have to restart the server a couple of times every month at update time while the 'nix people are laughing at us. ... The "hot patching" alternative that requires writing down the patch numbers and typing in an arcane command line is, shall we say, amateurish. ... To add insult to injury, if you hit the "Restart" button in the patch success dialog box rather than clicking "Later" and doing the restart manually, it fails to make the appropriate entry in the system log to document the reason for shutdown. ...
      (microsoft.public.windows.server.sbs)
    • Trojan.Win32.KillFiles.nu
      ... I downloaded a patch from HP for a fix for HP ... Kaspersky online scanner. ... When I went to install the patch Active Virus Shield popped an alert ...
      (alt.comp.anti-virus)
    • Re: [PATCH] fix for futex_wait signal stack corruption
      ... The solution I did to solve this is to allocate a temporary buffer when ... then you cannot restart it. ... New patch on its way. ...
      (Linux-Kernel)