Re: Trend Micro OfficeScan service fingerprint

[doug () hcsw org]

Hi Tom!

On Fri, Dec 28, 2007 at 06:39:29PM -0600 or thereabouts, Tom Sellers wrote:
> While working on some problems with Trend Micro's OfficeScan
> antivirus I realized that I had never seen the associated
> client network port identified by Nmap.

Thanks a lot for creating a probe! As you probably saw from the
OfficeScan comment, I've noticed problems with this service too:

# This is here for NULL probe cheat since several probes unpredictably trigger it -Doug

I just checked in the following probe to SVN:

Probe TCP OfficeScan q|GET /?CAVIT HTTP/1.1\r\n\r\n|
rarity 9
ports 12345
match http m|^HTTP/1.0 \d\d\d .*\r\nServer: OfficeScan Client| p/Trend Micro OfficeScan Antivirus http config/

Does this work for you? I deleted the match line in the GetRequest
probe but left it in the NULL probe in case we get it on a fallback.

Also, I noticed that the Help probe also has port 12345 listed
as a probable port so it will tried first. I can't remember
what service in Help is run on 12345 but could maybe dig that
info up if it matters.

Best,

Doug

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org