Deep Discovery Inspector (DDI) detected an attack only on some machines while vulnerability scanning server scanned all machines

- Updated:
- 24 Nov 2016
- Product/Version:
- Deep Discovery Inspector 3.0
- Deep Discovery Inspector 3.2
- Deep Discovery Inspector 3.5
- Deep Discovery Inspector 3.6
- Deep Discovery Inspector 3.7
- Deep Discovery Inspector 3.8
- Threat Discovery Appliance 2.0
- Threat Discovery Appliance 2.5
- Threat Discovery Appliance 2.6
- Platform:
- N/A N/A

Summary

The vulnerability scanning server scanned four machines against the MS08-067 Exploit, but DDI only detected the attack event on two of them.

Details

As described in the Microsoft Security (MS) Bulletin MS08-067, to exploit this vulnerability in the Server service, the attacker needs to send out a specially crafted Remote Procedure Call (RPC) request.

If the target machine accepted the Transmission Control Protocol (TCP) connection on 445 or 139 and the attacker sends out the crafted RPC request, DDI will be able to detect the attack. This is the case of the two detected machines.

In the case of the two undetected machines, the target machine did not accept the TCP connection on port 445 or 139. Therefore, the attacker cannot send out the crafted RPC request. As a result, since the attack could not be initiated, DDI will not be able to detect the attack.