[unisog] Possible fales positives for MS04-007

Chris Russel russel at yorku.ca
Wed Mar 3 23:05:27 GMT 2004

On Tue, 2 Mar 2004, Matt Crawford wrote:

> On Mar 1, 2004, at 10:34 PM, Russell Fulton wrote:
> > We are getting some apparent false +ves from both Nessus and 007scan.
> > Both say boxes are vulnerable but admins swear they are patched.  In at
> > least one case it turned out the admin was patching the wrong box but I
> > have asked them all to check this and make quite sure of the IP of the
> > box they are working on. Numbers are low -- 3 or 4 machines out of
> > several thousand machines and I am inclined to lay it to human error,
> > but...
> >
> > Anyone else seeing this?
> We nearly had a head-butting festival with one department over this,
> but it turned out that for some class Windows systems, the patch is not
> functional until you have rebooted the system *twice*.  This conclusion
> has been well-tested here.

That's interesting.  I've had two instances where the machine was
supposedly patched - one got updated by SUS in between my scanning and
someone checking the machine (later scans showed it as patched), the other
had been patched and rebooted, and after a second reboot showed as
patched.  Since this only happened once that I know of out of a few
thousand systems I didn't pay it much heed.

Chris Russel
Manager, CNS Information Security
York University, Toronto, Canada
russel at yorku.ca

More information about the unisog mailing list