Deep Discovery Inspector (DDI) detected an attack only on some machines while vulnerability scanning server scanned all machines

- Updated:
- 24 Nov 2016
- Product/Version:
- Deep Discovery Inspector 3.0
- Deep Discovery Inspector 3.2
- Deep Discovery Inspector 3.5
- Deep Discovery Inspector 3.6
- Deep Discovery Inspector 3.7
- Deep Discovery Inspector 3.8
- Threat Discovery Appliance 2.0
- Threat Discovery Appliance 2.5
- Threat Discovery Appliance 2.6
- Platform:
- N/A N/A

Summary

The vulnerability scanning server scanned four machines against the MS08-067 Exploit, but DDI only detected the attack event on two of them.

Details

As described in the Microsoft Security (MS) Bulletin MS08-067, to exploit this vulnerability in the Server service, the attacker needs to send out a specially crafted Remote Procedure Call (RPC) request.

If the target machine accepted the Transmission Control Protocol (TCP) connection on 445 or 139 and the attacker sends out the crafted RPC request, DDI will be able to detect the attack. This is the case of the two detected machines.

In the case of the two undetected machines, the target machine did not accept the TCP connection on port 445 or 139. Therefore, the attacker cannot send out the crafted RPC request. As a result, since the attack could not be initiated, DDI will not be able to detect the attack.

Test Now

Rating:

Category:

Troubleshoot

Solution Id:

1106145

Feedback

Did this article help you?

Thank you for your feedback!

What was the problem with this article?

The image(s) in the article did not display properly.

The article did not provide detailed procedure.

The article is hard to understand and follow.

The video did not play properly.

The article did not resolve my issue.

Others. Please specify.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

Thanks for voting.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.