The vulnerability scanning server scanned four machines against the MS08-067 Exploit, but DDI only detected the attack event on two of them.
As described in the Microsoft Security (MS) Bulletin MS08-067, to exploit this vulnerability in the Server service, the attacker needs to send out a specially crafted Remote Procedure Call (RPC) request.
If the target machine accepted the Transmission Control Protocol (TCP) connection on 445 or 139 and the attacker sends out the crafted RPC request, DDI will be able to detect the attack. This is the case of the two detected machines.
In the case of the two undetected machines, the target machine did not accept the TCP connection on port 445 or 139. Therefore, the attacker cannot send out the crafted RPC request. As a result, since the attack could not be initiated, DDI will not be able to detect the attack.