RE: FALSE POSITIVE

To:	"Nicolas Pouvesle" <npouvesle@tenablesecurity.com>, "nessus" <nessus@list.nessus.org>
Subject:	RE: FALSE POSITIVE
From:	"John Scherff" <JScherff@24hourfit.com>
Date:	Mon, 4 Jun 2007 10:36:40 -0700
Cc:	Rob Slayden <rslayden@24hourfit.com>
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	nessus-list1@securepoint.com
Delivered-to:	nessus@list.nessus.org
In-reply-to:	<620332AE-369C-4255-ACBA-11FD77F6D07B@tenablesecurity.com>
List-archive:	<http://mail.nessus.org/pipermail/nessus>
List-help:	<mailto:nessus-request@list.nessus.org?subject=help>
List-id:	Discussion of Nessus software <nessus.list.nessus.org>
List-post:	<mailto:nessus@list.nessus.org>
List-subscribe:	<http://mail.nessus.org/mailman/listinfo/nessus>, <mailto:nessus-request@list.nessus.org?subject=subscribe>
List-unsubscribe:	<http://mail.nessus.org/mailman/listinfo/nessus>, <mailto:nessus-request@list.nessus.org?subject=unsubscribe>
References:	<169658C0C845EC438759DB8B8BC706540A0D9080@NOC-EXCH1.24hourfit.com> <620332AE-369C-4255-ACBA-11FD77F6D07B@tenablesecurity.com>
Sender:	nessus-bounces@list.nessus.org
Thread-index:	AcemwHE6S86JWoFETi6ZvANpo1IdRwADJqlg
Thread-topic:	FALSE POSITIVE

Nicolas,

The file is at 2.0.0.3 - a vulnerable version.  Very strange. I
double-checked with MBSA 2.0.1 and it doesn't find any problems, either.
Let me dig a little deeper.  

John

-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Nicolas Pouvesle
Sent: Monday, June 04, 2007 8:52 AM
To: nessus
Subject: Re: FALSE POSITIVE

On Jun 4, 2007, at 5:10 PM, John Scherff wrote:

> Plugin 25167 appears to be producing false-positives.  This plugin is 
> in the "Windows : Microsoft Bulletins" family and tests for
> MS07-028 (flaw in CAPICOM).
>
> The scan was run against a freshly-installed, fully-patched Windows
> 2003 R2 server with Citrix Presentation Server 4.5 installed.
>

Could you check the default value in the following registry key ?

value = SOFTWARE\Classes\CAPICOM.Certificates\CLSID

Then get the path in :

"SOFTWARE\Classes\CLSID\"+value+"\InprocServer32"

and finally check the version of the file pointed by the previous
registry key. If this version is smaller than 2.1.0.2 then your server
is vulnerable (it is possible to access this activex).

Nicolas
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

<Prev in Thread]	Current Thread	[Next in Thread>
FALSE POSITIVE, John Scherff Re: FALSE POSITIVE, Nicolas Pouvesle RE: FALSE POSITIVE, John Scherff <= RE: FALSE POSITIVE, John Scherff Re: FALSE POSITIVE, Nicolas Pouvesle RE: FALSE POSITIVE, John Scherff

Previous by Date:	RE: Portscan issue on 2.2.9, Pete Duffin
Next by Date:	Re: no rating of finding ms-sql-s has account sa with password sa, George A. Theall
Previous by Thread:	Re: FALSE POSITIVE, Nicolas Pouvesle
Next by Thread:	RE: FALSE POSITIVE, John Scherff
Indexes:	[Date] [Thread] [Top] [All Lists]