What's New in CyberCop Scanner v5.0 for Windows NT 4.0 and Windows 2000 Beta Copyright (c) 1998-99 by Network Associates, Inc., and its Affiliated Companies. All Rights Reserved. Thank you for using CyberCop Scanner. The What's New file contains important information about the current version of CyberCop Scanner. Network Associates recommends you read this file before using CyberCop Scanner. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us. ___________________ WHAT'S IN THIS FILE - New Features - System Requirements - Documentation - Known Issues - Frequently Asked Questions - Contacting Network Associates _______________ NEW FEATURES 1. CyberCop Scanner is a member of the premier release of Network Associates' integrated family of Active Security products. These products represent the next evolutionary step in enterprise security - proactive, automated enforcement of network security policies. Active Security performs customized, automated responses to network security vulnerabilities as they are discovered on your network. Responses can include creating helpdesk tickets and routing them to the appropriate person in your organization, sending SMTP messages or pager alerts to administrators, and shutting down specific ports on Gauntlet Firewalls thus preventing malicious users from exploiting these vulnerabilities. The Active Security family of products includes: * CyberCop Scanner Provides proactive scanning of your network for security vulnerabilities * Event Orchestrator A modular, extensible event management platform that coordinates responses to security vulnerabilities * Gauntlet Firewall Provides world-class firewall security with patent-pending Adaptive Proxy technology * Net Tools PKI Server Provides effortless management of X.509 certificates for Network Associates products * McAfee HelpDesk Provides a robust problem tracking platform that can model your organization's business processes For more information about Active Security features, see the Active Security What's New file, ActiveSecurity.txt, included in this distribution. 2. CyberCop Scanner v5.0 runs under Windows 2000 Beta. Windows 2000 Beta is the next release of Windows NT by Microsoft. To get more information on Windows 2000 Beta, visit Microsoft’s web site at http://www.microsoft.com. 3. CyberCop Scanner v5.0 supports multiprocessor machines. 4. CyberCop Scanner v5.0 includes the following new modules: - Module 5010: StarTech POP Proxy Server Buffer Overflow - Module 8012: Compaq/Microcom 6000 Denial of Service Check - Module 8049: WinGate Proxy Connection Loop DOS - Module 8050: Xylogics/Bay Annex Ping CGI Overflow - Module 8051: HP LaserJet 5 SNMP Denial of Service - Module 8053: Windows NT-SLmail v3.1 Denial of Service Check - Module 10050: Acme's thttpd-HTTP Server GET Bug (ver<2.03) - Module 15047: BNC IRC Proxy Remote Overflow - Module 15048: CSM Proxy 4.1 Denial of Service - Module 28013: Service Pack 4-Service Pack 4 is not Installed - Module 29003: Windows NT-IIS 2.0/3.0 Installed - Module 29011: Windows NT-IIS Anonymous FTP Access Permitted - Module 29012: Windows NT-IIS Anonymous Gopher Access Permitted - Module 29013: Windows NT-IIS WWW Guest Access Permitted - Module 29014: Windows NT-IIS WWW Special Characters Permitted - Module 29015: Windows NT-IIS WWW CreateProcess Enabled - Module 29016: Windows NT-IIS WWW Successful Logging Disabled - Module 29017: Windows NT-IIS WWW Error Logging Disable - Module 29018: Windows NT-IIS WWW Server Side Includes - Module 29019: Windows NT-IIS FTP Guest Access Permitted - Module 29021: Windows NT-IIS FTP Bounce Attack Enabled - Module 29022: Windows NT-IIS FTP Anonymous Usage Logging Disabled - Module 29023: Windows NT-IIS FTP Regular User Usage Logging Disabled For more information on the above-listed modules, refer to the CyberCop Scanner Vulnerability Guide, included separately with this CyberCop Scanner release. Or, refer to the on-line module descriptions in the Module Configuration tab of CyberCop Scanner. _______________________ SYSTEM REQUIREMENTS There are minimum system requirements that must be met to install and use CyberCop Scanner. The minimum system requirements are as follows: - Windows NT Workstation 4.0 with Service Pack 3.0 - 233 MHz Pentium processor - 64 MB of RAM - 40 MB of free disk space If your system does not meet the above minimum system requirements, we recommend that you upgrade the system accordingly before installing CyberCop Scanner. CyberCop Scanner performs optimally when the minimum system requirements are met. For information on installing and uninstalling CyberCop Scanner, refer to Chapter 2 of the User’s Guide, "Installing CyberCop Scanner." __________________ DOCUMENTATION Your distribution of CyberCop Scanner includes the following documentation: - WHATSNEW - ACTIVE SECURITY - LICENSE - RESELLER - Y2K Also included separately with this release in PDF format are the following manuals which can be viewed on-line as well as printed: - CyberCop Scanner User’s Guide - CyberCop Scanner Vulnerability Guide - Active Security Getting Started Guide NOTE: The CyberCop Scanner User’s Guide and Vulnerability Guide as well as the Active Security Getting Started Guide are provided as PDF files. PDF files are viewed using Adobe Acrobat. You can download a copy of Acrobat Reader from the Adobe Systems Incorporated web site at http://www.adobe.com/prodindex/acrobat/readstep.html. Follow the download instructions, including selecting the Windows NT operating system. Then click Download to download Adobe Acrobat Reader to your system. _______________ KNOWN ISSUES 1. Some CyberCop Scanner modules require raw Ethernet devices when testing for security vulnerabilities. As a result, modules that require raw Ethernet devices will return inaccurate vulnerability information when run on localhost (127.0.0.1). 2. A router icon may be depicted as a host icon in network maps. Network maps are generated when Module 1041: Trace Route to Host is enabled in the Module Configuration tab. Network maps are displayed in the Reports>Network Map tab. 3. Module 18024: Windows NT-Unable Access IPC$ in Registry should be selected when running modules in Windows NT module groups. Module 18024 checks to see if you have access to IPC$ or the registry. If Module 18024 is not selected, modules in the Windows NT module groups may not report correct vulnerability information. 4. Passwords for Windows NT are case sensitive. Therefore, passwords in the NTpasslist.txt file are run by the Crack and SMB Grind programs as they are entered in the file. 5. Only Module 1800: Connection to IPC$ as Anonymous User of the Windows NT Network Vulnerability module group is displayed in the View Currently Running Modules dialog box, even if other modules in the module group are selected. The dialog box is used to monitor modules during a scan. It is displayed when you select the Scan> View Currently Running Modules menu item. 6. If you specify the results database to be saved to a directory other than the directory where CyberCop Scanner is installed, you get the following error message when generating a report: "Error: Error: Hosts database contains no entries." Before you generate a report, be sure to save the results database (or, a copy of the results database) to the directory where CyberCop Scanner is installed. By default, scan results are saved to the results database called results.dat. 7. 3-D graphs generated for HTML reports may not be displayed properly in the Report screen. You can use controls in the Report screen to adjust the presentation of 3-D graphs. For example, you can adjust the position of a 3-D graph in the screen by clicking and dragging the mouse on the graph if it is not displayed in an optimal position on the screen. You can also adjust the font size of graph text using the Text Scale slider bar. 8. The Skip Currently Running Module button on the toolbar may not stop all modules that are currently running in a scan. 9. The AutoUpdate program lets you set parameters for downloading update packs for CyberCop Scanner from an FTP site. When you download update packs using the FTP Through Web Proxy method, you are not able to select a port number for the proxy. The port number for this proxy automatically defaults to 80. 10. The AutoUpdate program requires a valid user name and password when downloading update packs from an FTP site. If you want to log on as anonymous, leave the user name and password textboxes blank in the AutoUpdate program. 11. If you schedule a future update in the AutoUpdate program using a passworded FTP account, your FTP password will be displayed in Windows NT Scheduler. 12. You can use update packs already stored on your hard drive to perform an AutoUpdate. When you use these packs for an AutoUpdate, be sure to run them from $ScannerHome\updates in the AutoUpdate program. 13. When you specify a range of IP addresses to be scanned in the Host Range textbox of the Scan Settings screen, the range of IP addresses is not stored in the open configuration file. Instead, the range of IP addresses is stored in the registry. The range of IP addresses will be used for subsequent scans, no matter what configuration file is open. To change the range of IP addresses, you enter a new range of IP addresses in the Host Range textbox for each scan. 14. You can run a scan from either: 1) Scan>Start Scan in the CyberCop Scanner software; or 2) the command line. If you run scans from both the software and the command line for an open configuration file, you may get an error message. 15. Module 22001: Internet Explorer Zone-Download Unsigned Active X and Module 22002: Internet Explorer-Java Logging Disabled require access to a remote registry. Otherwise, Modules 22001 and 22002 may not return accurate vulnerability information. Before you run Modules 22001 and 22002, make sure that your account has sufficient privileges for these vulnerability checks, for example the ability read a registry remotely. In general, you should have domain administrator privileges on target machines for vulnerability checks to return accurate data. 16. If you install CyberCop Scanner on a system with more than one network interface card, you must assign a valid IP address to each network interface card. _______________________________ FREQUENTLY ASKED QUESTIONS Q: Are network maps automatically generated for each scan? A: You configure the software for generating network maps. Specifically, you enable Module 1041: Trace Route to Host in the Module Configuration tab to generate a network map. This module should be selected by default. You can view network maps in the Reports>Network Map tab. Q: Upon uninstall, does the InstallShield Uninstaller program remove all CyberCop Scanner files? A: The InstallShield Uninstaller program removes all CyberCop Scanner files except those that were created after installation, for instance reports. Q: Do graphics in RTF reports sometimes not display well? A: Graphics in RTF reports may not display well in some programs, most notably WordPad. Try viewing RTF reports in Microsoft Word or a more compatible RTF viewer. Q: Are valid domain names verified on DNS entries? A: There is no range error or check performed on DNS entries in this version of CyberCop Scanner. Q: How is SMB Grind run from the command line? A: Run utils\smbgrind from the directory where CyberCop Scanner is stored. By default, CyberCop Scanner is stored on c:\Program Files\Network Associates\CyberCop Scanner. Q: Do you need to close all programs, including CyberCop Scanner, before running the AutoUpdate program? A: You should close all programs, including CyberCop Scanner, before running the AutoUpdate program. The AutoUpdate program will run if CyberCop Scanner is open, however, it will not update components that are open or in memory. To start the AutoUpdate program, from the Tools menu of CyberCop Scanner select Updater. The AutoUpdate program asks you to close all programs, including CyberCop Scanner. After you close all programs, run the AutoUpdate program from the AutoUpdate program user interface. Q: Does the Crack program check against both the LAN manager hash and the MD4 hash? A: At this time, the Crack program checks against the LAN manager hash only. Q: Do you need certain privileges, for instance those privileges associated with a domain administrator account, to run some modules? A: To run some modules, you must have certain privileges on both the host machine and the target machine(s). Otherwise, these modules may not be able to return accurate vulnerability data. Q: How do you manually uninstall CyberCop Scanner? A: To manually uninstall CyberCop Scanner, follow these steps: 1. Disable the NTBPF device. a. From Start>Settings>Control Panel double click Devices. b. Then, select NTBPF and click the Stop button. c. You will be asked if you want to stop the NTBPF device. Click the Yes button. d. Reselect NTBPF, if necessary, and then click the Startup button. e. Enable the Disable button and click the OK button. f. Click the Close button. 2. Find the CyberCop Scanner directory in Explorer and then delete it. 3. From Start>Run open regedit. 4. Delete the following registry keys: HKLM\SOFTWARE\Network Associates\CyberCop Scanner HKLM\SOFTWARE\Network Associates,Inc.\Active Security HKLM\SOFTWARE\Network Associates,Inc.\CyberCop Scanner >ScannerDir HKLM\SOFTWARE\Network Associates,Inc.\CyberCop Scanner\ Licensed HKLM\ SOFTWARE\Microsoft\Windows\Current Version\Run >ActiveSetupCyberCopScanner HKLM\System\Current Control Set\Services\Tcpip\Parameters >MaxFreeTcbs and MaxHashTableSize 5. If you configured CyberCop Scanner for Active Security, delete ranseed.rnd in c:\Winnt. 6. Delete ntbpf.sys in c:\Winnt\System 32\Drivers. The manual uninstall of CyberCop Scanner is now complete. __________________________________ CONTACTING NETWORK ASSOCIATES *FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS* Contact the Network Associates Customer Care department: 1. Corporate-licensed customers, call (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time Retail-licensed customers, call (972) 278-6100 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax (408) 970-9727 24-hour, Group III fax 3. Fax-back automated response system (408) 988-3034 24-hour fax Send correspondence to any of the following Network Associates locations: Network Associates Corporate Headquarters 3965 Freedom Circle Santa Clara, CA 95054 Network Associates Canada 139 Main Street, Suite 201 Unionville, Ontario Canada L3R 2G6 Network Associates Europe B.V. Gatwickstraat 25 1043 GL Amsterdam The Netherlands Network Associates (UK) Ltd. Hayley House, London Road Bracknell, Berkshire RG12 2TH United Kingdom Network Associates France S.A. 50 rue de Londres 75008 Paris France Network Associates Deutschland Industriestrasse 1 D-82110 Germering Germany Network Associates Japan Co, Ltd. Toranomon 33 Mori Bldg. 3-8-21 Toranomon Minato-Ku, Tokyo 105 Japan Network Associates Korea 135-090, 18th Fl., Kyoung Am Bldg. 157-27 Samsung-Dong, Kangnam-Ku Seoul, Korea Network Associates South East Asia 7 Temasek Boulevard The Penthouse #44-01, Suntec Tower One Singapore 038987 Network Associates Australia Level 1, 500 Pacific Highway St. Leonards, NSW 2065 Australia Network Associates Latin America 150 South Pine Island Road, Suite 205 Plantation, FL 33324 USA Or, you can receive online assistance through any of the following resources: 1. Bulletin Board System: (408) 988-3034 24-hour US Robotics HST DS 2. Internet e-mail: support@nai.com 3. Internet FTP: ftp.nai.com 4. World Wide Web: http://www.nai.com 5. America Online: keyword NAI 6. CompuServe: GO NAI Before contacting Network Associates, please make note of the following information. When sending correspondence, please include the same details. - Program name and version number - Type and brand of your computer, hard drive, and any peripherals - Operating system type and version - Network name, operating system, and version - Contents of your AUTOEXEC.BAT, CONFIG.SYS, and system LOGIN script - Microsoft service pack, where applicable - Network card installed, where applicable - Modem manufacturer, model, and baud, where applicable - Relevant browsers/applications and version number, where applicable - Problem - Specific scenario where problem occurs - Conditions required to reproduce problem - Statement of whether problem is reproducible on demand - Your contact information: voice, fax, and e-mail General feedback is also welcome. *FOR ON-SITE TRAINING INFORMATION* Contact Network Associates Customer Service at (800) 338-8754. *FOR PRODUCT UPGRADES* To make it easier for you to receive and use Network Associates’ products, we have established a Resellers program to provide service, sales, and support for our products worldwide. To display a list of Network Associates resellers outside the United States, go to the Network Associates website. Click the Contact tab and then click International Resellers. *FOR ENCRYPTING TRANSACTIONS* Use the PGP 5.5.5 key below if you want to encrypt transactions with Network Associates. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDZI7EERBADrBNx6FuJCnRcDrqUd5jzNR/h4CqPQIcQ3JDb2bDu6qIDvw+/b juYVuHCR3D0RprHLqqqdxyM3pUE57VSlk6ZM8083LtoquSGnjGicXQXHteXVGuno J5NTQkyi9jUrv/0G3PsqnuXCuUT2wm81qVnD+tNDa+Xrffz3/0IBfQqMEQCg//Qc tf6J1YzxSjcvYGRdjM7gN+kD/0pWgntQSdH7BEQFIZY3j9eADhQl831Q6yCJznTM QZeqWvETAaPBPy0wM7ywfeDptSmoXirCv3HR/Ut4VE6kZcqCjYBB4GC7rmhX/BwM 4+3FOoW5Al7zWS7DIGpqgJ7QtNCExfgxXAC8eEY74bCbjqFrQTGOgGnjkVFgq2eA RjSbBAC4nIBrhldp5d4Amu25cEH11+HJbyNumZOcdSEK1QrksEL09EYL2emFmY2i DqJOUdAOHxXz7eaSmdGusZ7LdUMdBe1jsfIgp8dCQ/swo9TGPguvqSj6SZuZSIWy hjB8s+k7zHM36TbYPEAmrQ1FyFuSLPGFmnR0wWarEkqbVH/e7rQ2TmV0d29yayBB c3NvY2lhdGVzIEN5YmVyQ29wIFNjYW5uZXIgIDxzdXBwb3J0QG5haS5jb20+iQBL BBARAgALBQI2SOxBBAsDAgEACgkQeJzA2V4nNp27ZgCgtlhAg/sdCHFd/5H1rSfl +pk1NGcAn33AMaxrAW4JwBgRF8iJD8Nl92jVuQINBDZI7EIQCAD2Qle3CH8IF3Ki utapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l 6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9 kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIiz HHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgR jXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Je w1XpMgs7AAICCAC9v9nGAyLFnQKJ/O3fyvm028xSJMYzEAuZ1d676RVpdvw/a41h Rjzed4G8hzoYOxO27zGrmP7RKsUG69+ecbBk6ETMh0QEGRI9XzdOqyPHDCzIEVOg 8LMlN9S2jVGYNUID7jNDgn7LOL+8qwCfdJlXqeQ3EuvY1Oug/KxMS40tQ0soUzfS PxtWO0djkksW21/7cWW8ngzdXuNot6KKGFIK0cPnHVkSkRVomHJ0++4Ck8wG/0tb ky3KNrTAkWbIh8RbU+wfClqoco0ONhEZ1W0QM2sKBNZsAZSM56oDRKcRvNzs7bma 7zV6IwwnxoT+xhau+2Q/96liIb2QmVM9wL0/iQBGBBgRAgAGBQI2SOxCAAoJEHic wNleJzadfMUAn2ddrUbP7x7rEAgkYvTGJlirYKI1AKD2W/buz28bODY8cK6UMKIX Ln/iyw== =oU26 -----END PGP PUBLIC KEY BLOCK-----