just as a heads up guys... I just got back from Japan and have been going
through the retina nimda scanner with the guys here and were cleaning it up
to make it MUCH more accurate (i.e. less false positives) and we should have
a new version out today. the documentation will more clearly explain the
results which was where some got confused.
sorry for the inconvenience.
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| -----Original Message-----
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED]]On Behalf Of Christian Kuhtz
| Sent: Sunday, September 23, 2001 5:13 PM
| To: Andrew Calo
| Cc: info; [EMAIL PROTECTED]; [EMAIL PROTECTED]
| Subject: Re: New Version of Retina Nimba Scanner
|
|
|
| This is no different than eEye's CodeRed scanner which didn't give you a
| trustworthy indication whether CodeRedII was actually present. It would
| recognize the cmd.exe backdoor and whine about CR2 being present,
| which wasn't
| neccessarily true at all (various other exploits created the same
| backdoors).
|
| Given the difficulty in detecting an infection with high confidence, more
| accurate reporting would go a long ways to improving the
| credibility of these
| scan tools.
|
| Andrew Calo wrote:
| >
| > This scanner reports many boxes that aren't infected as
| infected. Terribly
| > deceiving.
| >
| > At 05:31 PM 9/20/2001 -0700, info wrote:
| > >A new version of Nimda Scanner has just been posted to the
| eEye web site
| > >that will also detect open shares on systems which is a common
| trait of an
| > >infection.
| > >
| > >http://www.eeye.com/html/Research/Tools/nimda.html
| > >
| > >Signed,
| > >eEye Digital Security
| > >T.949.349.9062
| > >F.949.349.9538
|
