[unisog] Disabling DCOM and vulnerability scans

Steve Bernard sbernard at gmu.edu
Mon Aug 4 18:00:32 GMT 2003


The RPC check in Eeye's Retina product seems to work correctly. I was 
experiencing exactly what Russell has decribed when using the other 
tools but, Retina 4.9.109 doesn't show the same issue. The most recent 
newsletter from Eeye states that they released an updated scanner 
shortly after exploit code was published on the Internet.


Regards,

Steve



Russell Fulton wrote:

> I've copied this note to unisog and others -- primary target is UoA's
> computer support community....
> 
> Hi All,
> 	We have established that turning of DCOM via dcomcfg.exe, while
> presumably protecting the machine from being compromised, confuses the
> vulnerability scanners and such systems show up as vulnerable. This is
> true even if the machine has actually been patched.
> 
> I'm guessing that this is because the scanners are looking for some
> specific response to their probe and are not getting it because the
> services are turned off. 
> 
> What would be most useful would be if the scanner showed these machines
> in a separate category, say 'disabled', not as vulnerable.
> 
> So far I've tested this with the Eeye, ISS and nessus.
> 
> So if systems that you have disabled DCOM on some up as vulnerable on my
> lists don't get too excited (just double check that dcom really is
> turned off).
> 
> Cheers, Russell.



More information about the unisog mailing list