Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Does anyone else run Altiris on their network and use Nessus?

from [Olson, John (CTECH)] Network Security [Permanent Link]
Subject: RE: Does anyone else run Altiris on their network and use Nessus?
Date: Mon, 12 Nov 2007 16:46:38 -0600 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 
- -----Original Message-----
From: Ron Gula [mailto:rgula@tenablesecurity.com] 
Sent: Monday, November 12, 2007 4:01 PM
To: Olson, John (CTECH)
Cc: nessus@list.nessus.org
Subject: Re: Does anyone else run Altiris on their network and use Nessus?


Hi John,



I'm curious what problem you are trying to solve by performing a scan with 
Nessus. Is it general scanning, new host discovery,
vulnerability enumeration, patch auditing, .etc, .etc?


All of the above I'm afraid.  We need to perform regular discovery scans of our 
user segments and check for vulnerabilities on a variety of platforms (Windows, 
MAC, etc.)  I agree a bunch of Passive Vulnerability Scanners would be very 
nice, but no budget I'm afraid.  A periodic scan to detect what open ports may 
exist is necessary, or I would simply scan smaller port ranges and "hope" I 
don't hit the port currently used by Altiris.  Once we have regular scanning of 
the user segments resolved, then I also need to begin regular scanning of our 
many servers (from the inside and preferrably credentialed) for 
vulnerabilities, missing patches, etc.  I stated earlier that I discovered this 
problem 2 years ago, and I waited until now to start up the internal scanning 
project again due to Client security requirements, thinking Altiris might have 
fixed the problem by now (I was wrong).

(Portions deleted for brevity)


I'm also a bit suspect about the impact of scanning. It sounds like scanning 
can cause an issue with the client, but I would
imagine your user's (or server's) normal web serving, network activity, patch 
updates and so on also are causing these open
connections.


Only a "non-Altiris" device (nessus, nmap, etc.) attempting to connect (or SYN 
scan) the port used by this particular application appears to cause this error 
condition.  When used as intended (to deploy software, remotely view what the 
user sees, or take control of their PC, etc.) Altiris works just fine.  We do 
not receive any complaints about workstation "lockup" or I would suspect the 
same as you describe above.  I am testing on a very limited number of computers 
right now, and they all exhibit the same problems when the scans occur.  If I 
scan only ports below 1024, there is no problem.  

The error appears to be contained entirely within this one client service.  It 
goes into some sort of looping condition, spawning additional "Listeners" as it 
goes.  And none of these new "Listeners" close or time out before the client 
becomes excessively sluggish.  It is VERY weird.  If I disable the Altiris 
client service and perform the scan, there is no apparent impact to the 
computer being scanned at all.



I think the shutdown idea is an interesting idea, but could be complex to 
implement on a network, especially if it required to
be operational for your IT group.


Agreed.  I cannot take away this functionality from our Helpdesk personnel.  It 
would have too great an impact on them and the end users.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRzjXztczbpxETmLMAQjIUQf+JLKuVDJ8gFQuRaS3JlxOfQmPt7vFZfey
tnG9B0F8UP3LOTx/7sYv2XSQ+cXk59dhBjiODkkR0965P06VLT3uofvv5SCbF/Bw
6ms/S0IRZzW7RyCPSGQ0Y57zzHikWX70kpgywmPTU2NwwiyF6qMQvZ1jyBbqBhfT
uwcwxWyqGilVZZCV6XmqN4RkdVqsZTYt3XZM1OmjX+kUdLThj7UzJVBDk8ZS868Z
Dr1SCW7JahXKQ/PyLSTZYf35Z7BVsPYQg6laVTXO4J3nJaF/P81EecFc5TSklNpd
PmVLDPT0xhmW+rk4UjKja9XfY0mVe/UbJ7GraSavQqF97G4jmTm6Qg==
=SE++
-----END PGP SIGNATURE-----


This e-mail message is being sent solely for use by the intended recipient(s) 
and may contain confidential information.  Any unauthorized review, use, 
disclosure or distribution is prohibited.  If you are not the intended 
recipient, please contact the sender by phone or reply by e-mail, delete the 
original message and destroy all copies. Thank you.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Does anyone else run Altiris on their network and use Nessus?, Ron Gula
Next by Date:  Nikto on Nessus 3 Client?, Ramos, Jaime J.
Previous by Thread:  Re: Does anyone else run Altiris on their network and use Nessus?, Ron Gula
Next by Thread:  Nikto on Nessus 3 Client?, Ramos, Jaime J.
Indexes:  [Date] [Thread] [Top] [All Lists]