On Fri, Jan 23, 2004 at 01:06:16PM -0500, larosa, vjay wrote:
> I haven't been reading every one of these messages, but why not make it an
> option in the bagle plugin to either remove, or just detect (set to detect
> by default)? Then everyone will be happy and we can all stop bickering :)
Detection implies removal. This is what generated the plugin and started
the thread. Send me a good way to detect the virus (other than "port
6777 is open!! YOU'VE GOT A VIRUS"), and I'll cheerfuly integrate it.
Seems like it's way more important to keep a virus and let it spread rather
than being a good netizen and stop it _and_ ask the admin to clean up the
box. Just because _eventually_ and _maybe_ stopping the virus could
cause great harm - at least in a parallel dimension. Needless to say,
the main job of the virus being to spread itself, any inaction results
in more copies getting out, but that's perfectly OK because it affects
other people's network.
Just to sum some things up :
- Nessus is not entering in the virus removal business. Once
again, positive detection of this virus implies its removal,
so it's a special case. I consider this side effect to not be
a bad thing which is why I decided the publish this plugin.
- So no, there won't be a new plugin family (ACT_REMOVE_BAGLE
nor ACT_REMOVE_STUFF)
- You are perfectly free to delete bagle_removal.nasl from your
disk before starting nessusd
- This plugin is disabled with safe checks are not set
- It's true that another version of bagle (or any virus) could decide
to wipe your hard drive and kill your first born child when it
receives the magical request we use the detect bagle. As it has been
said repeteadly, the same could be said of any request which is
sent to any listening port, so that's not really an argument
- If indeed fate proves me wrong (which is likely to happen now, given
my luck) then of course the plugin will be updated ASAP. Yes it
implies that you run nessus-update-plugins but you should do that
before every scan anyway.
Of course, not everyone will be happy, because not everyone has the
same agenda :
- The person who started this thread is an ASP/MSSP, so _of couse_ he does
not want to fix things because he has no authority to do so.
- OTOH, one network admin sent me an email telling that in his 24x7
environment, this plugin was welcome as the virus policy is usually
scan -> detect -> disconnect the box until cleaned, whereas now it is
scan -> detect -> stop bagle -> notify the admin (ie: no downtime).
Obviously this won't conclude this thread because someone who knows
better will come down and teach us that a variant will happen soon, and
maybe someone else on this list will proudly come up with a proof of
concept which will probably force me to disable the plugin for good.
-- Renaud
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
