I haven't been reading every one of these messages, but why not make it an option in the bagle plugin to either remove, or just detect (set to detect by default)? Then everyone will be happy and we can all stop bickering :)
YEAH! vjl -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin R. Northcraft Sent: Friday, January 23, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: Bagle remover + Nessus 2.2 Here goes.... I fall on the line here. I see a great importance to a sys admin to have a scanning tool that can detect vulnerabilities and also have the potential to "disable", "remove" malware. Although from my line of work this can cause many problems. My main job priority is to perform vulnerability assessments, analyze reports and provide constructive feed back to the customer, NOT to fix their network. I work with many Financial Institutions and for many reasons am not able to "change" /"modify" or "fix" their systems (even though at times I would like to). My job is to ***VERIFY*** the existence of vulnerabilities not try to fix them. I could argue either way that what the Bagle plug-in does/doesn't modify the system, though from either standpoint it does "tamper" with known malware as compared to other "dangerous" plug-ins that just "verify" the existence of a vulnerability. If the Bagle plug-in is going to fall under the "dangerous" category then I have problems. I perform many assessments against Novell systems and there are several plug-ins related to Novell falling under that category thus making my job much more difficult. I now would have to go in and uncheck the bagle plug-in every time I run a scan, not so bad when it's one plug-in and I'm sitting in front of my scanning machine but what about all the systems I have automated and how many other plug-ins in the next year?????????????? I also provide consulting to clients and help them "fix" and manage their networks. This type of plug-in is extremely helpful here it could potentially save me hours upon hours of work which with my busy schedule I wouldn't mind. I would encourage "nessus" to continue these types of plug-ins but keep them in their own category. Here is my question: How hard is it to create another category and have two plug-ins one to verify the existence and another that can try to "remove" /"disable" it? If "nessus" wants to continue to create these types of plug-ins in the "dangerous" category I may be forced to look at other solutions, I am not solely in the business of fixing problems. And quite frankly I prefer nessus over any other vulnerability scanner. I have used most of them and have found that nessus has provided more reliable output in detecting vulnerabilities with less work on my end. Not to mention the quick turn around of plug-in updates, other vulnerability scanners can take several weeks, this is sometimes too long. My $0.02 Justin Northcraft, GSEC, CNA Systems Consultant Clifton Gunderson Technology Solutions � 7670 E. Broadway Suite 308 Tucson, Arizona 85710 � Office: 520.290.8870 Cell: 520.991.6910 � HTTP://www.CliftonTechnology.com ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Croteau Sent: Thursday, January 22, 2004 4:26 AM To: Renaud Deraison Cc: [EMAIL PROTECTED] Subject: Re: Bagle remover + Nessus 2.2 I would prefer the second solution. Nessus is a *scanner*. I use it regularly when performing vulnerability assessment for various customers. If it now starts to modify things as it runs, I will have to find another tool. The purpose of a scanner is to scan, not interfere. To answer Renaud's question about the Nessus 2.2 client, I'd prefer if it stayed compatible with GTK 1.2. I recently tried to install GTK 2 and got into all sorts of issues. There are tons of things to install before you can get anywhere (png, jpeg, tiff, pango, ...). I just installed QT3 because it is required to compile the 2.6 kernel with make xconfig. I don't know yet what it's worth but it took a while to compile, seems to take quite a bit of disk space and it also seems to be a product you need to pay for. Are there any other alternatives ? -- Marc ----- Remove the dots to answer or reply to group Renaud Deraison wrote: On Wed, Jan 21, 2004 at 05:03:11PM -0500, Thomas Reinke wrote: The recent bagle_remover.nasl script sets a somewhat dangerous precedent, IMHO, of crossing the line from vulnerability detection to remediation. Not to mention that you are trusting the bagle remover script to do its own removal cleanly. There are a number of reasons why this is bad, not the least of which is that I personally would not trust a virus to remove itself cleanly to begin with. It is by definition, after all, untrusted code. I raised the description level to security hole, and put the script in the DANGEROUS family. However I don't really see what the issue is - the remote host is infected by a virus which has a backdoor listening on it. You have the choice of either: - Disabling that virus and notify the owner of the machine or - Notify the owner and let the virus spread itself -- Renaud _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
