Hi,
I've just run Nessus and Security Expressions against a
bunch of Windows machines and done some analysis on the
results. I was only interested in the Windows local checks.
On the whole, Nessus had better coverage, e.g. finding Flash
Player flaws. However, SE wins when it comes to identifying
missing Windows patches.
The main reason for this is that Nessus does not understand
that some patches supercede others. I think I have mentioned
this here before. I have an idea for fixing this, and I'd
suggest starting with the recent cumulative IE patches
(MS06-004, MS05-054, MS05-052, MS05-038, MS05-025 and
MS05-020). Unfortunately I don't have time to implement and
test this. The plan is: make plugins dependent on any
plugins that supercede them (e.g. MS05-054 becomes dependent
on MS06-004). This means removing some dependencies already
listed, but I don't think that will cause a problem. Make
plugins set a kb value if the patch is present (e.g.
SMB/Hotfix/MS06-004). It seems some plugins do this already,
but not all of them. Finally, add to the beginning of the
plugin a check to see if the superceded patch is present. If
it is, set the kb value to say the current patch is present,
to support chains of superceded patches.
For MS04-044, Nessus failed to report this, because it looks
at "Ntkrnlmp.exe" instead of
"NToskrnl.exe". The box in question is a single
processor system.
Another issue appeared for MS05-044, on a W2k box with IE6,
but not IE-SP1. SE doesn't report it, as the patch is
marked as affecting IE-SP1 only. Nessus does report it. I'm
really not sure who's right here.
Also, local checks failed for two systems, without any
apparent reason. I know the credentials are correct, and SE
worked correctly. Unfortunately I didn't notice the failure
until my testing window had passed.
Anyway, I hope sharing these results it useful to you.
Best wishes,
Paul
--
Paul Johnston
Technical Specialist Support Services
Group Information and IT Risk
HBOS Plc
PAJohnston HBOSplc.com
Desk: 0113-235-3071 (7581-53071)
Mobile: 07766-740756
--
------------------------------------------------------------
------------------
HBOS plc, Registered in Scotland No. SC218813. Registered
Office: The Mound, Edinburgh EH1 1YZ. HBOS plc is a holding
company, subsidiaries of which are authorised and regulated
by the Financial Services Authority.
============================================================
==================
_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
|