[unisog] Disabling DCOM and vulnerability scans

Steve Bernard sbernard at gmu.edu
Mon Aug 4 23:16:02 GMT 2003

I've also found that, when using Eeye's Retina, I get a false positive for
the RPC vulnerability if I have Administrator privileges on the box being
scanned, even though the RPC patch has been installed and remote DCOM is
disabled. This is true for NT 4.0 Server with Service Pack 6 and all
hotfixes, using Retina 4.9.109.


-----Original Message-----
From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
Sent: Sunday, August 03, 2003 8:08 PM
To: computer-support at mailhost.auckland.ac.nz
Cc: unisog at sans.org
Subject: [unisog] Disabling DCOM and vulnerability scans

I've copied this note to unisog and others -- primary target is UoA's
computer support community....

Hi All,
	We have established that turning of DCOM via dcomcfg.exe, while
presumably protecting the machine from being compromised, confuses the
vulnerability scanners and such systems show up as vulnerable. This is
true even if the machine has actually been patched.

I'm guessing that this is because the scanners are looking for some
specific response to their probe and are not getting it because the
services are turned off.

What would be most useful would be if the scanner showed these machines
in a separate category, say 'disabled', not as vulnerable.

So far I've tested this with the Eeye, ISS and nessus.

So if systems that you have disabled DCOM on some up as vulnerable on my
lists don't get too excited (just double check that dcom really is
turned off).

Cheers, Russell.
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the unisog mailing list