I think those objecting are completely overreacting from a basis of
ignorance. This plugin DOES NOT remove the virus, it merely disables the
listening port through a thorough determination process. This is an
excellent, non-destructive method for verifying with nearly 100% accuracy
that a system is infected with Bagle.
Does nobody here remember that other scanners have historically leveraged
similar behaviour? My previous favorite scanner, CyberCop (peaked in the
90s before getting dumped by NAI), always required the person running the
tool to manually review target systems to see if various files had been
created in places like /tmp by the successful execution of exploit code.
This is certainly much more disconcerting than sending a single word to an
open port, and I don't recall anybody getting all bent out of shape over
it at that time.
Bottom line here: this is a non-destructuve test, it improves the
reliability of results, and it has a positive side-effect in stopping a
worm from self-propogating. No claim of full cleaning has been made.
This does not break with precedence historically among other scanners.
This is not unethical behaviour. Etc., etc., etc.
What don't you objectors understand?
> On Thu, Jan 22, 2004 at 12:25:56PM +0100, Marc Croteau wrote:
>> Nessus is a *scanner*. I use it regularly when performing vulnerability
>> assessment for various customers. If it now starts to modify things as
>> it runs
>
> It does not /start to modify things/, it just disables _a_ virus and let
> you know that you should have a look at the remote host. The plugin is
> also marked as being DESTRUCTIVE, ie: it will only run if safe checks are
> disabled. Other plugins, when run in non safe checks, will have the side
> effect of disabling other services, like nfsd or more, which might be
> critical for a production server.
>
> It's not like the command is dangerous either - ie: we're not sending a
> find -name *.pif -exec rm {} \; to the remote host, we just tell the
> virus to stop spreading.
>
> What is your real concern ? Do you think that there are production servers
> out there which won't work properly without having beagle running ?
>
>
>
> -- Renaud
> _______________________________________________
> Nessus mailing list
> [EMAIL PROTECTED]
> http://mail.nessus.org/mailman/listinfo/nessus
>
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
