I am not trying to be weird here, but all any scanner can do is check to see if the
known things about the virus are true. I want to know if a backdoor is there. I
don't care if it was Nimda or CDII that put it there or even if it was something else.
First, these worms change all the time, so if you look for a CMD.EXE that is X bytes
big and this date, they change it and all of the sudden your scanner says you are
clean. Second, many times when these scanners are put together, VERY little is known.
It may do X,Y, and Z, but maybe we only knew about X when it was released. Third,
many times the scanners are built from a "surely no admin with a brain would do this"
perspective. In other words, you may have a root share with Guest privileges, but
"surely no admin with a brain would do this" so the scanner will think that this MUST
be a worm. I had 2 boxes out of 73 that had false info on them and they were both
because the person that had set these up had put a root share with guest access on
there. Was the scanner wrong? Yeah. Was I an idiot for having the box setup that
way? Yeah. Am I glad I found it? Yeah.
There is no way to keep a FREE scanner up-to-date and EXACTLY right for all instances.
I would MUCH rather have 2 false positives than 2 false negatives. The scanner
basically says, "either the worm has hit you or a moron setup your box and did X". In
my case the moron part applied, but I needed to find it anyway.
JayW
>>> Christian Kuhtz <[EMAIL PROTECTED]> 09/23/01 07:13PM >>>
This is no different than eEye's CodeRed scanner which didn't give you a
trustworthy indication whether CodeRedII was actually present. It would
recognize the cmd.exe backdoor and whine about CR2 being present, which wasn't
neccessarily true at all (various other exploits created the same backdoors).
Given the difficulty in detecting an infection with high confidence, more
accurate reporting would go a long ways to improving the credibility of these
scan tools.
Andrew Calo wrote:
>
> This scanner reports many boxes that aren't infected as infected. Terribly
> deceiving.
>
> At 05:31 PM 9/20/2001 -0700, info wrote:
> >A new version of Nimda Scanner has just been posted to the eEye web site
> >that will also detect open shares on systems which is a common trait of an
> >infection.
> >
> >http://www.eeye.com/html/Research/Tools/nimda.html
> >
> >Signed,
> >eEye Digital Security
> >T.949.349.9062
> >F.949.349.9538
