Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

False positive - modems & Citrix

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Networking & Security] >> GFI LANguard >> False positive - modems & Citrix Page: [1]
Login
Message << Older Topic   Newer Topic >>
False positive - modems & Citrix - 10.Nov.2009 12:44:01 PM   
P

 

Posts: 6
Joined: 12.Aug.2009
Status: offline 		Likely it is just me and someting incorrectly config'd, but please have a look.

LanGuard v9.0 Build 9=20090709

I have weekly scheduled scan that runs based on a list of computers in a TXT file. The Scanning Profile for this scan is set as Full Vulnerability Scan.

Under Scanning Profiles Management I have opened up the Full Vulnerability Scan profile, then drilled down into Potential Vulnerabilities.

The first item in the list is "A modem is installed on this computer". The third item is "Citrix server running on this host". Both of these tests are of the form

"NOT windows-registry-test"

My scan results show both of these as vulnerabilities for my VM based W2008 servers.

As a check I opened up the registry on one of my reportedly vulnerable servers and drilled into HKLM>Software>Microsoft>ActiveSetup>Installed Components.

I checked therein for this key: {FF4DD9CD-F25E-425a-8B5C-A2D062781FBB}

Nada. No such key. This condition in my registry would indeed match a NOT test for the above key.


However. There is no modem installed on this server. Zilch.


So my question is - what the heck am I missing. Clearly I am delusional, mis-informed, and blind about something. But what?

My thanks in advance for your help in lifting the veil.

P
Post #: 1
RE: False positive - modems & Citrix - 11.Nov.2009 10:11:09 AM   
DrewE

 

Posts: 1246
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		The test for "Modem installed" should be a check to see if a registry key DOES exist. That key should be:
HKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000

Does your scanning profile indicate something different?

_____________________________

Drew Easley
GFI Software
Talk Tech To Me (GFI Blog)Follow Us (Twitter) - Watch Us (YouTube) - Join us (Facebook)

(in reply to P)
Post #: 2
RE: False positive - modems & Citrix - 11.Nov.2009 9:17:22 PM   
P

 

Posts: 6
Joined: 12.Aug.2009
Status: offline 		Is there a way for me to post screen shots? I note that in the Post window the FILE option indicates that the feature is disabled or I do not have sufficient permission.

In effect my Profiles all show a NOT Registry test where the Key is shown as SOFTWARE\Microsoft\Active Setup\Installed Components\{FF4DD9CD-F25E-425a-8B5C-A2D062781FBB}

I certainly did not change this (at least I am unaware of ever touching this particlular setting).

Thus I remain quite puzzled.

I can hear the reply - perhaps if you reinstall the software and re-check.....

(in reply to DrewE)
Post #: 3
RE: False positive - modems & Citrix - 12.Nov.2009 9:01:43 AM   
DrewE

 

Posts: 1246
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		You can upload photos to a file sharing site such as Flickr and then post the URL here.

_____________________________

Drew Easley
GFI Software
Talk Tech To Me (GFI Blog)Follow Us (Twitter) - Watch Us (YouTube) - Join us (Facebook)

(in reply to P)
Post #: 4
RE: False positive - modems & Citrix - 12.Nov.2009 11:25:16 AM   
P

 

Posts: 6
Joined: 12.Aug.2009
Status: offline 		Thanks Drew. I uninstalled everything off my server this morning, downloaded the latest versions, and then reinstalled. After I reinstalled I looked at the Modem test again and I see exactly the same NOT Registry test for the {FF4DD9CD-F25E-425a-8B5C-A2D062781FBB} key.

Given your response I decided to open a trouble ticket - clearly I am off somewhere.

Case number GFI-091112-30013

Thanks again.

(in reply to DrewE)
Post #: 5
RE: False positive - modems & Citrix - 19.Nov.2009 4:18:27 PM   
DrewE

 

Posts: 1246
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		An update which fixes these problems has just been published on our auto-update servers.

Affected users should run Program updates>Check For Updates (if it is not enable scheduled updates), and the vulnerability database will update.

_____________________________

Drew Easley
GFI Software
Talk Tech To Me (GFI Blog)Follow Us (Twitter) - Watch Us (YouTube) - Join us (Facebook)

(in reply to P)
Post #: 6
RE: False positive - modems & Citrix - 20.Nov.2009 10:54:11 AM   
P

 

Posts: 6
Joined: 12.Aug.2009
Status: offline 		Drew is quite correct. I downloaded the latest updates, re-scanned my servers and TA DA! no more modem & citrix warnings.

Good work GFI.

P

(in reply to DrewE)
Post #: 7
Page:   [1]
All Forums >> [Networking & Security] >> GFI LANguard >> False positive - modems & Citrix Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts