Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deep Discovery Inspector (DDI) detected an attack only on some machines while vulnerability scanning server scanned all machines

    • Updated:
    • 31 Mar 2015
    • Product/Version:
    • Deep Discovery Inspector 3.0
    • Deep Discovery Inspector 3.2
    • Deep Discovery Inspector 3.5
    • Deep Discovery Inspector 3.6
    • Deep Discovery Inspector 3.7
    • Deep Discovery Inspector 3.8
    • Threat Discovery Appliance 2.0
    • Threat Discovery Appliance 2.5
    • Threat Discovery Appliance 2.6
    • Platform:
    • N/A N/A
Summary

The vulnerability scanning server scanned four machines against the MS08-067 Exploit, but DDI only detected the attack event on two of them.

Details
Public

As described in the Microsoft Security (MS) Bulletin MS08-067, to exploit this vulnerability in the Server service, the attacker needs to send out a specially crafted Remote Procedure Call (RPC) request.

If the target machine accepted the Transmission Control Protocol  (TCP) connection on 445 or 139 and the attacker sends out the crafted RPC request, DDI will be able to detect the attack. This is the case of the two detected machines.

In the case of the two undetected machines, the target machine did not accept the TCP connection on port 445 or 139. Therefore, the attacker cannot send out the crafted RPC request. As a result, since the attack could not be initiated, DDI will not be able to detect the attack.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1106145
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.