3 Replies Latest reply on Apr 16, 2012 12:09 PM by jldunn

    Wireshark False positives

      Hi All,

       

      Do we have any known issues where scanning reports false positives for Wireshark vulnerabilities wherein when checked we found that wireshark was not installed on those servers.

       

      Thanks,

      Amar Deep Singh

        • 1. Re: Wireshark False positives

          We have not had this issue, and we have lots of wireshark, but mostly current versions.  Is it detecting an issue with (what it thinks is) a really old wireshark version?  If this machine used to have a (really old) version of wireshark installed, it's possible the uninstall script for that old version left behind traces, and the FASL (foundstone) detection script is alerting on those traces, resulting in what is (from your point of view) a false positive.

           

          We recently had an issue with detections relating to an adobe dowloader product that had already been uninstalled.  The removal process left behind an empty directory/folder (but no files), and apparently the FASL (foundstone) script based its detection on the (now-empty) directory/folder.  Removing the directory resolved the detection issue.

           

          If you think you might have a similar situation, you could install a current wireshark on the problem system and then uninstall wireshark; if that cleans up your detection, that would point to an old uninstall script that left behind traces that the new uninstall cleaned up.

           

          If you want to open a ticket with McAfee on this, sometimes the 1st-level support folks can tell you what the FASL script is looking for, and with that information, you may be able to figure out what the problem is.  Alternatively, if you want go through the false positive process, the support tech can provide you with the steps you need to go through and what you need to provide to McAfee to document the issue.

           

          J.

           

          Message was edited by: jldunn on 4/12/12 1:45:37 PM CDT
          • 2. Re: Wireshark False positives

            Hello,

             

            What I am encountering in my environment is that we have couple of servers with a very old version of Wireshark installed on them Wireshark 1.4.3

             

            Foundstone scans do not list up any issues for this. I want to know if we have any known issues wherein such old version of Wwireshark is not supposed to be scanned?

             

            Thanks,

            Amar Deep

            • 3. Re: Wireshark False positives

              I am not positive I understand your question.  In any case, if you are running Wireshark 1.4.3, yes, it  at least one vulnerability that can be remediated by upgrading:

              http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0066

              I would guess that MVM/Foundstone would detect and alert on the downrev Wireshark, but I can't verify that.

               

              j.