Mailing List Archive: Plugin 18502 false positives (Network check for MS05-027, smb

Plugin 18502 false positives (Network check for MS05-027, smb_kb896422.nasl)

Jun 27, 2005, 12:28 PM

Post #1 of 4 (670 views)

FYI. Plugin 18502 (aka. the Network check for MS05-027, smb_kb896422.nasl)
revision 1.2 has a 100% false positive rate when scanning systems running
Windows Server 2003. We have found this to be the case whilest scanning
200+ Win2K3 systems. In all cases this plugin reports that the Win2K3
systems are "unpatched", even when they are patched. However, the plugin
*does* appear to be 100% accurate when scanning Win2K and WinXP systems. It
just seems to falter with Win2K3.

I'm a bit surprised that no one else has reported this yet.

Regards.

Re: Plugin 18502 false positives (Network check for MS05-027, smb_kb896422.nasl) [ In reply to ]

deraison at nessus

Jun 28, 2005, 6:28 AM

Post #2 of 4 (662 views)

Permalink

On Jun 27, 2005, at 15:28, Apple Maggot wrote:

> FYI. Plugin 18502 (aka. the Network check for MS05-027,
> smb_kb896422.nasl) revision 1.2 has a 100% false positive rate when
> scanning systems running Windows Server 2003. We have found this
> to be the case whilest scanning 200+ Win2K3 systems. In all cases
> this plugin reports that the Win2K3 systems are "unpatched", even
> when they are patched. However, the plugin *does* appear to be
> 100% accurate when scanning Win2K and WinXP systems. It just seems
> to falter with Win2K3.

We've tested the plugin against several Windows 2003 boxes and have
not run into the issue. The patch released by Microsoft includes the
exact same fixes for both XP and Win2003, so having a FP on one side
and not on the other seems quite unlikely.

Make sure that your Windows 2003 system has rebooted since the patch
has been applied. Otherwise send me network traces as well as your
Windows 2003 exact setup for a better diagnosis.

-- Renaud

Re: Plugin 18502 false positives (Network check for MS05-027, smb_kb896422.nasl) [ In reply to ]

dmclean at uab

Jun 28, 2005, 7:11 AM

Post #3 of 4 (647 views)

Permalink

We are also seeing a large number of FPs on W2K3 with SP1and latest
patches installed. I know of one machine that has been reloaded
after the patches were installed. Will an ethereal trace be
sufficient?

On Tue, 28 Jun 2005 09:28:11 -0400
>On Jun 27, 2005, at 15:28, Apple Maggot wrote:
>
>> FYI. Plugin 18502 (aka. the Network check for MS05-027,
>> smb_kb896422.nasl) revision 1.2 has a 100% false positive rate when
>> scanning systems running Windows Server 2003. We have found this
>> to be the case whilest scanning 200+ Win2K3 systems. In all cases
>> this plugin reports that the Win2K3 systems are "unpatched", even
>> when they are patched. However, the plugin *does* appear to be
>> 100% accurate when scanning Win2K and WinXP systems. It just seems
>> to falter with Win2K3.
>
>We've tested the plugin against several Windows 2003 boxes and have
>not run into the issue. The patch released by Microsoft includes the
>exact same fixes for both XP and Win2003, so having a FP on one side
>and not on the other seems quite unlikely.
>
>Make sure that your Windows 2003 system has rebooted since the patch
>has been applied. Otherwise send me network traces as well as your
>Windows 2003 exact setup for a better diagnosis.
>
>
> -- Renaud
>_______________________________________________
>Plugins-writers mailing list
>Plugins-writers@list.nessus.org
>http://mail.nessus.org/mailman/listinfo/plugins-writers

Re: Plugin 18502 false positives (Network check for MS05-027, smb_kb896422.nasl) [ In reply to ]

npouvesle at tenablesecurity

Jun 28, 2005, 7:55 AM

Post #4 of 4 (654 views)

Permalink

On Jun 28, 2005, at 10:11 AM, Douglas McLean wrote:

> We are also seeing a large number of FPs on W2K3 with SP1and latest
> patches installed. I know of one machine that has been reloaded
> after the patches were installed. Will an ethereal trace be
> sufficient?

Ethereal trace + Windows 2003 system description (enterprise,
standard ?) + version of file C:\WINDOWS\system32\drivers\srv.sys .

Thanks,

Nicolas

PS: you can send this information in private if you want.