[prev in list] [next in list] [prev in thread] [next in thread]
List: nessus-plugins-writers
Subject: [Plugins-writers] Improving local checks
From: PaJohnston () HBOSplc ! com
Date: 2006-03-27 13:47:54
Message-ID: 20060327135559.C7FE61361E () mail ! nessus ! org
[Download RAW message or body]
Hi,
I've just run Nessus and Security Expressions against a bunch of Windows machines and \
done some analysis on the results. I was only interested in the Windows local checks. \
On the whole, Nessus had better coverage, e.g. finding Flash Player flaws. However, \
SE wins when it comes to identifying missing Windows patches.
The main reason for this is that Nessus does not understand that some patches \
supercede others. I think I have mentioned this here before. I have an idea for \
fixing this, and I'd suggest starting with the recent cumulative IE patches \
(MS06-004, MS05-054, MS05-052, MS05-038, MS05-025 and MS05-020). Unfortunately I \
don't have time to implement and test this. The plan is: make plugins dependent on \
any plugins that supercede them (e.g. MS05-054 becomes dependent on MS06-004). This \
means removing some dependencies already listed, but I don't think that will cause a \
problem. Make plugins set a kb value if the patch is present (e.g. \
SMB/Hotfix/MS06-004). It seems some plugins do this already, but not all of them. \
Finally, add to the beginning of the plugin a check to see if the superceded patch is \
present. If it is, set the kb value to say the current patch is present, to support \
chains of superceded patches.
For MS04-044, Nessus failed to report this, because it looks at "Ntkrnlmp.exe" \
instead of "NToskrnl.exe". The box in question is a single processor system.
Another issue appeared for MS05-044, on a W2k box with IE6, but not IE-SP1. SE \
doesn't report it, as the patch is marked as affecting IE-SP1 only. Nessus does \
report it. I'm really not sure who's right here.
Also, local checks failed for two systems, without any apparent reason. I know the \
credentials are correct, and SE worked correctly. Unfortunately I didn't notice the \
failure until my testing window had passed.
Anyway, I hope sharing these results it useful to you.
Best wishes,
Paul
--
Paul Johnston
Technical Specialist Support Services
Group Information and IT Risk
HBOS Plc
PAJohnston@HBOSplc.com
Desk: 0113-235-3071 (7581-53071)
Mobile: 07766-740756
--
------------------------------------------------------------------------------
HBOS plc, Registered in Scotland No. SC218813. Registered Office: The Mound, \
Edinburgh EH1 1YZ. HBOS plc is a holding company, subsidiaries of which are \
authorised and regulated by the Financial Services Authority. \
==============================================================================
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic