INTERNET SCANNER VERSION 6.0 RELEASE NOTES ============================================================================= CONTENTS -------- 1. NEW FEATURES 1.1 New Structured Scanning Methodology and Default Scan Policies 1.2 Policy Editor 1.3 X-Press Updates 1.4 Database Scanner Integration 1.5 Internet Scanner 5.3 to 6.0 Migration Kit 1.6 New Vulnerability Checks 1.7 UDP Port Scanning 1.8 New Reports 1.9 New Help System 2. SYSTEM REQUIREMENTS 2.1 Processor 2.2 Operating System 2.3 Other software 2.4 Memory (RAM) 2.5 Memory (RAM) required for large scans 2.6 Hard Disk 2.7 User privileges 2.8 Network 2.9 Protocol 2.10 Display 3. SUGGESTIONS 3.1 Reviewing Configuration When Enabling Vulnerabilities 3.2 Reviewing Configuration of Scan Policies from earlier versions 3.3 Scanner 6.0 Beta Policies 3.4 Exporting Scanner Reports to PDF 3.5 Interpreting the Results of UDP Port Scans 3.6 Maximum Parallel Scan Threads 4. INSTALLING THE RAW PACKET DRIVER 5. SETUP 6. TOOLS 6.1 Internet Scanner 5.3 to 6.0 Migration Utilities 6.2 Pinger Utility 7. KNOWN ISSUES 7.1 Windows NT Problem with Large Scans 7.2 Raw Packet Driver with PGP 6.5 7.3 Traceroute Check 7.4 TelnetOpen Check 7.5 Rwhod and Rwhod-vuln 7.6 ICQ Client 7.7 FlexChecks 7.8 RipAppend Check 7.9 Error Exiting Scanner with Multiple Sessions Open 8. SCANNER 5.81 ISSUES RESOLVED in 6.0 8.1 Cwdleak Check 8.2 SNMPShowInterface Check ============================================================================= 1. NEW FEATURES ------------ What’s New in Internet Scanner 6.0: 1.1 New Structured Scanning Methodology and Default Scan Policies Internet Scanner 6.0 embodies a structured approach to scanning that will increase the accuracy of the information obtained, reduce network load during the scan, ensure that security fix efforts are strongly focused on the most important systems in the organization, and make it much easier to target reports to individual system administrators. To facilitate this, Internet Scanner includes many new scan policies targeted towards specific security "Levels". Five levels are defined in the default policies, and are explained below. Versions of scan policies are provided for various operating systems, system types, or system use. Internet Scanner uses the following security levels to define and to implement the most important tasks for the security program: Level 1 policies identify which devices are on the network, and what Operating System they are running. * L1 Inventory Level 2 policies classify the systems based on the application services they offer. * L2 Classification * L2 Database Discovery Level 3 policies test susceptibility to external system compromise from trivial attacks used by unsophisticated adversaries, or detect signs that the system is already compromised. * L3 Desktop * L3 NT Server * L3 NT Web Server * L3 Router & Switch * L3 Unix Server * L3 Unix Web Server Level 4 policies test susceptibility to external system compromise from automated attack tools. * L4 NT Server * L4 NT Web Server * L4 Router & Switch * L4 Unix Server * L4 Unix Web Server Level 5 policies test resistance to password cracking attacks and susceptibility to external system compromise from very knowledgeable adversaries. * L5 NT Server * L5 NT Web Server * L5 Unix Server * L5 Unix Web Server These security levels are cumulative, that is, all Level 3 checks are included in the Level 4 and Level 5 policies. Using cumulative tools allows your organization to add increased security attention to the systems that warrant increased attention, without spending increased effort on less valuable assets. IMPORTANT NOTE: The old standard policies (Heavy, Medium, and Light) are obsolete and will no longer be updated by ISS. This is because they do not directly support the goals of increased accuracy, minimized network load, incremental application of security to specific systems, and more targeted report output. Existing 5.x scan policies have been migrated forward to 6.0. Adding specific checks to these policies is much easier with the new policy editor, described below. See the help file, ISS_NT.chm, for detailed descriptions about each default scan policy included with Internet Scanner 6.0. 1.2 Policy Editor The new Policy Editor arranges configurable properties in a folder tree, letting you sort, group, and browse through global settings, vulnerability checks, services, and accounts that you can enable for your policy. This Policy Editor replaces the tabbed Configuration dialog box that was used in Internet Scanner 5.x. Because of the tree structure, it is now simple to do some tasks that were very tedious in the previous versions of Internet Scanner. In particular, selecting a branch of the tree enables all checks that reside in this branch. For example, clicking the selection box next to the CGI-Bin tree will enable all 23 checks in that category. Previous versions of Internet Scanner required the user to select each check individually. The folder tree settings include: * Common Settings (brute force options, ports to scan, etc) * FlexChecks * Vulnerabilities * Services * Accounts You can arrange the Policy Editor’s folder tree in four different views: * Standard View (separates the Denial of Service exploits from the rest of the vulnerabilities, but still maintains the vulnerability categories) * Risk View (sorts the vulnerabilities by High, Medium, and Low, but does not separate the Denial of Service exploits in the category list). Note that this view makes it very easy to add new high-risk checks to existing policies. * Category View (works like the Standard View, but does not separate the Denial of Service exploits in the category list) * Built-In/Plug-Ins View (shows categories of the vulnerability checks, but distinguishes between Built-In Exploits or Plug-In Exploits) The Policy Editor also contains a browser-enabled window used for: * Viewing information on each vulnerability check, such as the vulnerability’s description, the platforms affected by the vulnerability, the vulnerability’s risk level, the vulnerability’s remedy information, and additional reference information. * Accessing external Web sites that may contain additional fix information, patches, or updates. * Linking directly to the X-Force Knowledge Base. If you want to build a very targeted policy or look for certain kinds of checks based on similar data, use the Policy Editor's powerful new searching features to search through names, short descriptions, full descriptions, and fix information in the vulnerability database. To perform focused Boolean searches on the vulnerability checks in the Policy Editor, use the search engine of the Vulnerability Catalog help file (VulnCatalog.chm) located in Scanner6/Help or access the help file directly from the help file, ISS_NT.chm. For example, searching on the text string "cert" would find all checks that referenced a CERT advisory. 1.3 X-Press Updates X-Press Updates automatically update your system with the latest plug-in checks and the latest product updates available for Internet Scanner, without having to download and to re-install a new version of Internet Scanner. X-Press Updates are available from a secure server on the ISS Web site, and can be installed on your system automatically via the Web using the X-Press Updates install program. Or, you can download the X-Press Updates from the ISS Web site using the X-Press Updates install program to your local directory or to a network share and then choose from either of those locations which updates you would like to install on your system. Please note that the X-Press Update install program does not automatically execute when you run Internet Scanner. You must run this program manually, or schedule execution of the program. ISS does not use or recommend the use of "push" technologies for security-enforcing products. For information on how to use X-Press Updates, view the X-Press Updates help file (XPressUpdate.chm) in Scanner6/XPressUpdate or in Scanner6/Help. NOTE: These updates must be installed sequentially and removed in reverse order, which is automatically enforced by the X-Press Updates install program. There are two e-mail forums that provide information on X-Press Updates and automatically e-mail you when there are new X-Press Updates for you to install on your system. See the product for details on subscribing to these services. 1.4 Database Scanner Integration Internet Scanner 6.0 operationally integrates functions of Database Scanner (Microsoft SQL Server, Oracle, or Sybase Adaptive Server) that have been deployed in your organization, and assesses the risk associated with those servers. Through the built in Database Discovery checks for the above servers, Internet Scanner locates the various database servers on your network and then will automatically configure and scan those servers by launching Database Scanner. ISS is offering a free, full function Database Scanner license for one each Oracle, Sybase, and SQL Server database to all users of Internet Scanner currently under software maintenance. Contact your ISS sales representative, send email to sales@iss.net, or visit the ISS Web site at http://www.iss.net for information on getting this Database Scanner license. To get your Database Scanner license key, visit the ISS web site at http://www.iss.net/prod/dbspromo. 1.5 Internet Scanner 5.3 to 6.0 Migration Kit Internet Scanner provides capabilities for easily moving Unix vulnerability data and 5.3 scan policies to 6.0. The command-line migration kit executables, db2u.exe and u2db.exe, are located in the Scanner6 Tools directory. The help file, ISS_NT.chm, provides the reference topic "IS 5.3 Unix checks in IS 6.0" that maps the check names from 5.3 into 6.0. Use db2u and u2db to import and to export data in CSV format to and from Internet Scanner’s database. To migrate policies from Internet Scanner 5.3 to Internet Scanner 6.0, copy the 5.3 policy file to Scanner6/Policy, and then open the policy in the 6.0 Policy Editor. Note: the vulnerability migration tools db2u.exe and u2db.exe can also be used to move vulnerability data between different instances of Internet Scanner 6.0, or to export the Internet Scanner 6.0 data to an external database system like Oracle for post-scan processing. The tools translate between Internet Scanner native database format and comma separated value (CSV) format. 1.6 New Vulnerability Checks Internet Scanner 6.0 includes 67 new vulnerability checks, including more than 30 new checks for malicious backdoor programs (such as BackOrifice 2000) that attackers use to remotely control computers: Risk VulnID Check Name Category High 625 Perl fingerd Daemons High 886 SmtpHeloBo E-mail High 887 SMTP VRFY Buffer Overflow Attempt E-mail High 888 SMTP EXPN Buffer Overflow Attempt E-mail High 895 Bind bo DNS High 1212 IIS RDS Web Scan High 1400 CgiPerlMailPrograms Web Scan High 1728 Palmetto FTP FTP High 1740 ColdFusionEvaluator Web Scan High 1890 QpopperPASSOverflow E-mail High 2052 CGI Textcounter CGI-Bin High 2079 WinRouteConfig Firewalls High 2178 BackdoorPbbser Backdoors High 2240 CMailCommandBO E-mail High 2245 SubsevenBackdoor Backdoors High 2281 IIS HTR Overflow Web Scan High 2310 EvilFTP Backdoor Backdoors High 2321 NetSphere Backdoor Backdoors High 2322 GateCrasher Backdoor Backdoors High 2324 GirlFriend Backdoor Backdoors High 2325 Hack'a'tack Backdoor Backdoors High 2326 BackdoorPhasezero Backdoors High 2343 BackdoorBo2k Backdoors High 2384 NetscapeGetBo Web Scan High 2386 BackdoorComa Backdoors High 2387 BackdoorForcedentry Backdoors High 2389 BackdoorBackdoor2 Backdoors High 2390 BackdoorNetmonitor Backdoors High 3099 BackdoorBlazer5 Backdoors High 3100 BackdoorFrenzy Backdoors High 3110 BackdoorHvlrat Backdoors High 3111 BackdoorMillenium Backdoors High 3112 BackdoorProsiak Backdoors High 3113 BackdoorHackersparadise Backdoors High 3118 BackdoorSchwindler Backdoors High 3119 BackdoorProgenic Backdoors High 3120 BackdoorTheThing Backdoors High 3122 BackdoorDeltasource Backdoors High 3130 BackdoorDoly15 Backdoors High 3131 BackdoorAolAdmin Backdoors Medium 896 Bind DoS DNS Medium 1630 UnityMail web server dos Web Scan Medium 1741 ColdFusionSource CGI-Bin Medium 1742 ColdFusionSyntaxChecker CGI-Bin Medium 1744 ColdFusionFileRead CGI-Bin Medium 1895 IMailIMAPOverflow E-mail Medium 1899 IMailWhoisOverflow E-mail Medium 2054 Novell Files Script CGI-Bin Medium 2055 CGI nphpublish CGI-Bin Medium 2088 Startech POP3 E-mail Medium 2196 HttpCgiCounterLong CGI-Bin Medium 2229 IIS ExAir DoS Web Scan Medium 2239 CmailFileread E-mail Medium 2241 FTGateRead E-mail Medium 2242 NTMailFileRead E-mail Medium 2270 SiteServerCSC Web Scan Low 1416 iParty denial of service Daemons Low 1743 ColdFusionFileExists CGI-Bin Low 1894 VNCDetect Daemons Low 1921 SMTPforgery E-mail Low 1928 SMTPrcpt E-mail Low 1986 VNCDetectNoConn Daemons Low 1988 VNCNoAuth Daemons Low 2210 ICQClient Daemons Low 2211 mSQLDetect Daemons Low 2227 CDDBD detect Daemons Low 2388 OracleDetect Daemons Note that Internet Scanner can now produce a report of all checks that are installed (from the View/Installed X-Press Modules menu option), and can list all checks that are enabled in any policy (from the Policy/Properties menu option). This information can be printed, or copied to the Windows clipboard via a right mouse click. 1.7 UDP Port Scanning Internet Scanner Version 6.0 performs an exhaustive UDP port scan by using various UDP packets to determine the status of a port. 1.8 New Reports In addition to many improvements to existing reports, Internet Scanner 6.0 now includes Executive level reports in Italian and condensed Host Vulnerability Summary reports at the Line Management and Technical level. Improvements have been made to reports that are exported to HTML or Microsoft Word, allowing more effective distribution of security information in the organization. 1.9 New Help System The help system now uses HTML pages to display the help information. The help information for each vulnerability check is taken directly out of the X-Force database to ensure consistency and accuracy. 2. SYSTEM REQUIREMENTS ------------------- Internet Scanner 6.0 system requirements are: 2.1 Processor 200 MHz Pentium Pro (300 MHz Pentium recommended) 2.2 Operating System Windows NT 4.0 Workstation (with ServicePack 4). ISS strongly recommends using a dedicated system for scanning. ISS is providing beta support for users running Windows 2000 Workstation (Beta 3). The device driver will not work on Windows NT 2000, meaning a small number of checks that require access to raw IP sockets (spoofing, etc) will not work, but other checks and functionality will be unaffected. IMPORTANT: Internet Scanner is not supported on Windows NT 3.51 or Windows NT 4.0 Server. (FOR INTERNATIONAL USERS: ISS does not formally support scanning from localized versions of Windows NT 4.0 or Windows 2000. If you attempt to scan from these systems, please report your results to support@iss.net. The US English version of Windows NT 4.0 supports the display of other language groups (based on different codepages) shipped with those versions. (For example, the US version does not ship with character-based Asian languages or Arabic). If you are an international user, you can run US English Windows NT 4.0 as your OS and still run non-Unicode, non-ISS applications localized for your area.) 2.3 Other software Microsoft Internet Explorer 4.x or later required to run HTML Help. 2.4 Memory (RAM) 80 MB 2.5 Memory (RAM) required for large scans 128 MB (Console mode or command line scans recommended) NOTE: See Known Issue 7.1, Windows NT Problem with Large Scans. 2.6 Hard Disk 180 MB for installation from file 60 MB for installation from CD-ROM Running: 55 MB plus 2.5 MB per 100 hosts NTFS partition recommended 2.7 User privileges Local or Domain Administrator 2.8 Network Ethernet or Token Ring connected to an active network. CAUTION: Internet Scanner on a Token Ring network does not perform some vulnerability checks - see the Internet Scanner 6.0 Getting Started Guide or the Internet Scanner 6.0 User Guide for more details. 2.9 Protocol TCP/IP 2.10 Display Monitor that supports 800x600 resolution with a minimum of 256 colors. 3. Suggestions ----------- 3.1 Reviewing Configuration When Enabling Vulnerabilities When you enable a new vulnerability in a policy, review the policy's configuration settings. 3.2 Reviewing Configuration of Scan Policies from earlier versions Some of your 5.x migrated policies may not have all the configuration variables set that are required to make the policies actually execute once they have been migrated to 6.0. ISS recommends that you visually inspect your migrated policies, especially the following variables: Web Zone Checks Sun CMSD BO FlexCheck IIS HTR Overflow Linux Inetd If necessary, turn the variables on or set the appropriate configuration variables. 3.3 Scanner 6.0 Beta Policies Scan policies created by Internet Scanner 6.0 Beta may not load or function properly with the version 6.0 production release. You should re-enter these policies. 3.4 Exporting Scanner Reports to PDF Exporting Internet Scanner 6.0 Reports to PDF format allows distribution of reports in a widely supported format, as well as preserves the quality of the original documents and avoids common problems that are associated with exporting directly from Crystal Reports to Microsoft Word or HTML format. ISS has identified a tool from Adobe Software called PDFWriter that allows this capability. PDFWriter acts like a printer driver to Windows applications, but actually outputs the print job to a file in PDF format. Selecting Acrobat PDFWriter Assistant as the printer driver in the printers Control Panel, print the document using this print driver. PDFWriter then generates a PostScript file, launches Acrobat Distiller, asks you to specify a name and location for your PDF file, converts the PostScript file into a PDF file, and opens the PDF file in an Acrobat viewer. Acrobat 3.0x and above for Windows includes Acrobat Writer Assistant. The file can be viewed with any Acrobat reader. PDFWriter is available from Adobe, at http://www.adobe.com. 3.5 Interpreting the Results of UDP Port Scans UDP port scanning is subject to possible variable results, due to the fundamental differences between UDP and TCP. Since UDP is an unreliable (datagram) protocol, there is no equivalent of the TCP 3 Way handshake that can be used to identify the existence of services listening on particular ports. Instead, the target system will respond with ICMP Port Unreachable messages (ICMP type 3, code 3). However, ICMP itself is an unreliable protocol, so these packets can be dropped or lost due to host or network contention. Further complicating the matter is technology built into certain operating systems to throttle the generation of ICMP unreachable messages - Linux and Solaris in particular implement this technology. ISS recommends analyzing the results reported from UDP port scans. If it appears that an excessive number of ports are reported as active, ISS recommends scanning individual hosts to verify the results, and tuning the UDP port scan parameters down (i.e. increase the wait between UDP packets sent by the scanner) to lessen the load on the network or host, and to avoid operating system security mechanisms that will degrade the accuracy of the results. ISS recommends that the UDP Smart Filter be disabled for these verification tests. See the Help section for the UDP port scan for details on tuning the UDP scan parameters. 3.6 Maximum Parallel Scan Threads The Maximum Parallel Scan Threads default setting is 128. To reduce the impact of Internet Scanner on system resource consumption, reduce this setting to 64 in the Internet Scanner Tools Menu, Options. 4. Installing the Raw Packet Driver -------------------------------- To install the ISS Raw Packet Driver, follow these steps: 1. From the Windows NT desktop, right-click the Network Neighborhood icon and select Properties. This action is a shortcut to the Network control panel. 2. Click the Services tab to display the installed network services. 3. Click Add to display the Select Network Service window. 4. Click Have Disk to display the Insert Disk window. 5. The Insert Disk window requests the location of the driver software. The default path is C:\Program Files\ISS\Scanner6\Driver. Otherwise, the ISS Raw Packet Driver is located in the Driver folder where Internet Scanner was installed. 6. Click OK to display the Select OEM Options window. 7. Select the ISS Raw Packet Driver software and click OK. The ISS Raw Packet Driver appears in the Network control panel. 8. Click OK to close this window. 9. Reboot your NT system. 5. Setup ----- Setting TCP/IP Parameters When Windows NT attempts to make a socket connection, it sends out a SYN packet to the remote computer, and waits for a reply. If no reply occurs within the time out period (three seconds by default), it then doubles the time out period, and retries the connection attempt. Every socket left open in this state consumes non-pageable kernel memory, and if too many sockets are not resolved, the host can run out of RAM. Since the problem is caused by non-pageable RAM consumption, Windows NT will essentially halt, and you will experience approximately two minute waits on response to toggling a caps lock key. The system will eventually recover, but it could take hours. ISS has advised Microsoft of this problem, and advised them that the amount of non-page pool that open sockets can consume should be a tunable parameter. However, Microsoft has not (to the best of ISS' knowledge) conceded that this is actually a problem, and to be fair, only an extremely intensive application such as Internet Scanner may be capable of reproducing this problem. This problem typically occurs while scanning a network where ICMP traffic is filtered. If ICMP traffic is not filtered, the host machine can reply to a connection attempt with either a SYN-ACK (success), or an ICMP port unreachable. In either case, the connection attempt can be resolved. To avoid this potential performance degradation, open the Registry editor (either regedit.exe, or regedt32.exe), locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key, and insert the following values: TcpMaxConnectAttempts, with type REG_DWORD, and a value of 3, TcpMaxConnectRetransmissions, with type REG_DWORD, and a value of 3 You must restart your system before these changes will take effect. For additional information regarding these parameters, please consult your Windows NT Resource Kit. If you want to see how the scan is progressing, run a tail -f on the temporary log files (located in the .\tmp directory with a .tmplog extension). If you do not have UNIX CLI utilities, these utilities may be available at ftp://ftp.cc.utexas.edu/microlib/nt/gnu/. Or, you can type the file to a command prompt. In the GUI version, you can view the status window. Internet Scanner lets you scan the local host without a key. If you want to evaluate the product further and scan other machines on your network, you can obtain an expanded key from sales@iss.net or by calling 1-800-776-2362. WARNING: Internet Scanner can inflict various denial of service attacks. Be very careful when you enable these scans. ISS has run into instances where scans that were not known to cause denial of service actually did so. This situation is unusual, but has been known to occur. WARNING: The OOB check WILL crash your host if you have not patched it. Remember to reboot your system or the Raw Packet Driver won't work. 6. Tools ----- Internet Scanner tools and utilities are located in the Scanner6 Tools directory. The following tools are developed and supported by ISS: 6.1 Internet Scanner 5.3 to 6.0 Migration Utilities Internet Scanner provides capabilities for easily moving 5.3 vulnerability data and 5.3 scan policies to Windows NT. The command-line migration kit executables, db2u.exe and u2db.exe, are located in the Scanner6 Tools directory. The help file, ISS_NT.chm, provides a reference topic "IS 5.3 Unix checks in IS 6.0" that maps the checks from 5.3 into 6.0. Use db2u and u2db to import and to export data in CSV format to and from Internet Scanner’s database. To migrate policies from Internet Scanner 5.3 to Internet Scanner 6.0, copy the 5.3 policy file to Scanner6/Policy, and then load the policy in the Policy Editor. Db2u v1.0 will take an entry in NT Internet Scanner 6.0 database and convert the entry to CSV files that the UNIX Internet Scanner 5.3 can read and create reports with. Usage: db2u "list" or db2u "db2u list" will print out a table of all the current scans that are in the 6.0 database. The table contains the job ID of the scan, the date and time the scan started, session file name and any comment entered for that scan. If the jobid is known or discovered by doing a list, then it is easy to extract the information. For example, if the jobid of the scan you want to extract is 4 and you want to put it in a directory named "CSVScan4", type: "db2u 4 C:\CSVScan4" The directory will now contain the CSV files necessary for the UNIX scanner to create a report. "db2u last C:\CSVScanLast" will put the latest scan that is in the NT Internet Scanner 6.0 database and put it into CSV format in the directory CSVScanLast. NOTE: The program db2u will not auto create the destination directory. The directory needs to exist before the program is run. U2db v1.0 will take a directory that contains CSV files generated by the UNIX Internet Scanner 5.3 and import them into the NT Internet Scanner 6.0 database. Usage: u2db The program u2db works by entering the directory that contains the CSV files that you would like to import into the NT Internet Scanner 6.0. Once successful, a report can be made by using the NT Internet Scanner 6.0. NOTE: Currently the program u2db will only look for scans with the prefix "iss". If the scan you are attempting to import has a different prefix, it will not work. 6.2 Pinger Utility The pinger utility, pinger.exe, will send ICMP echo requests to a range of IP addresses and track the hosts that respond. See the document pingerdoc.txt located in the Scanner6 Tools directory for instructions. 7. Known Issues ------------ 7.1 Windows NT Problem with Large Scans Certain scanning situations have been found to exercise a bug in Windows NT which causes Windows NT to crash with an error in the RDR.SYS driver. If you want to run large scans, please follow these recommendations: * Refrain from using multiple concurrent sessions. * Use the Ping all Hosts in Range option when scanning from the GUI. * Use the PINGER.EXE found in the tools directory to screen out inactive hosts when performing command-line scans. * Break up large scans into multiple smaller sessions. * Use a dedicated scan machine with no other applications running. This problem has been reported to Microsoft. ISS is working with Microsoft to resolve this situation. If you are unable to follow these recommendations, please contact ISS technical support for further assistance. 7.2 Raw Packet Driver with PGP 6.5 PGPnet application of PGP 6.5 is present on the PC and Internet Scanner 6.0 Raw Packet Driver is installed: Since PGPnet is a "network-based" sub-application of PGP, it will effectively impose its adapter configuration settings on the machine if: (1) You elect to proceed on with the PGPnet installation prompts after installing the ISS raw packet driver and re-booting, and (2) The installation host has only one available network card installed. This means that any previous network card definitions and settings will be suppressed, and the administrator will not be given the option to select his previous adapter settings while in the "TCP/IP properties" panel in Control Panel/Network. The result is that you will lose previous network connectivity to/from the host. To avoid this issue: (1) Disable PGPnet control of the network card under the "Programs -> PGP - > PGPnet -> Set Adapter " menu option (if PGPnet is already in control) or (2) After you have installed the ISS Raw Packet driver and re-booted, "cancel" out of the PGPnet configuration prompts to 'Secure a Network Card' (This means that you will not be able to use PGPnet on a host with a single network card). 7.3 Traceroute Check TraceRoute is based on ICMP and UDP, which are known to be unreliable protocols. This check may potentially lose packets, resulting in false negatives when combined in a policy with other checks that produce high amounts of network traffic (UDP Port Scan, synflood, etc.). 7.4 TelnetOpen Check The telnetOpen check may result in a Denial of Service if you run it against a machine that is running the Startech POP3 server. This machine will remain in a functioning state but the service is disabled. 7.5 Rwhod and Rwhod-vuln In previous releases, rwhod and rwhod-vuln were separate vulnerabilities. In version 6.0, rwhod will show up as a service found, not a vulnerability, and rwhod-vuln will remain a vulnerability. 7.6 ICQ Client The ICQClient may bind at any port, causing inconsistent behavior from one boot to the next. The ICQClient check has been configured to scan the most likely ports, using a default port range from 1024 to 2124. Scanning this entire port range could take a considerable amount of time, as the check determines if the client is bound to a port somewhere within the default range. However, it is possible that the client may be bound outside the port range entered, which could result in a false negative. 7.7 FlexChecks The 3 FlexChecks: SUN CMSD BO, Lotus LDAP BO, and AMD-BO are not included during installation, and instead have been placed on ISS' Web site at www.iss.net. 7.8 RipAppend Check The RipAppend check has been disabled due to false positives. This issue will be resolved in the next release. 7.9 Error Exiting Scanner with Multiple Sessions Open It has been reported that when exiting the Scanner program with multiple sessions still open an exception error may sometimes occur. This will not affect your machine or your data. If you experience this please email ISS technical support with a screen shot of the exception. 8. Scanner 5.81 Issues Resolved in 6.0 ----------------------------------- 8.1 Cwdleak Check The cwdleak check, which consistently returned false positives in the 5.x releases, has been fixed in 6.0. 8.2 SNMPShowInterface Check The SNMPShowInterface caused an exception in 5.x; this has been corrected in 6.0.