18 Replies Latest reply: Feb 28, 2017 10:24 AM by CleverBoy RSS

Sudden false positives for Plugin 23910 (Host file check in backdoors family)

CleverBoy Apprentice

  Starting last week (Feb 1st), SecurityCenter suddenly alerted on a bunch (29 initially) hosts for Plugin 23910, indicating a possible IOC by virtue of modifying the hosts file.  However upon close inspection of the vulnerability text and the hosts files themselves, they were all false positives:

 

*Most hosts files flagged had two entries (for local host):

127.0.0.1

::1

*All hosts files examined directly had "last modified" time stamps of years ago

*A couple had unique entries but were pointing to private IP addresses (these entries were also not new)

 

I opened a ticket with support, and of course they wanted a nessusb file directly from a Nessus scanner.  So I ran a scan locally against all hosts firing for 23910, and got no results on that plugin. 

 

I turned back to SecurityCenter, forced an update of plugins, and re-scanned all of the relevant hosts from SC with thorough checks enabled for good measure.  Plugin 23910 disappeared.  All good!

 

Today they're back:  23910 firing for clear false positive scenarios.  Is anyone else seeing this?  Anyone have a stress-reducing way to troubleshoot?