[unisog] Disabling DCOM and vulnerability scans
sbernard at gmu.edu
Mon Aug 4 18:00:32 GMT 2003
The RPC check in Eeye's Retina product seems to work correctly. I was
experiencing exactly what Russell has decribed when using the other
tools but, Retina 4.9.109 doesn't show the same issue. The most recent
newsletter from Eeye states that they released an updated scanner
shortly after exploit code was published on the Internet.
Russell Fulton wrote:
> I've copied this note to unisog and others -- primary target is UoA's
> computer support community....
> Hi All,
> We have established that turning of DCOM via dcomcfg.exe, while
> presumably protecting the machine from being compromised, confuses the
> vulnerability scanners and such systems show up as vulnerable. This is
> true even if the machine has actually been patched.
> I'm guessing that this is because the scanners are looking for some
> specific response to their probe and are not getting it because the
> services are turned off.
> What would be most useful would be if the scanner showed these machines
> in a separate category, say 'disabled', not as vulnerable.
> So far I've tested this with the Eeye, ISS and nessus.
> So if systems that you have disabled DCOM on some up as vulnerable on my
> lists don't get too excited (just double check that dcom really is
> turned off).
> Cheers, Russell.
More information about the unisog