I think what's happening is that the nessus script is looking for a 404
error to verify that it's not vulnerable, and IIS returns something other
than a 404 when requesting an EXE.

> -----Original Message-----
> From: Bob Tanner [mailto:tanner at real-time.com] 
> Sent: Thursday, January 24, 2002 5:06 PM
> To: tclug-list at mn-linux.org
> Subject: [TCLUG] nessus false positives?
> 
> 
> Been playing with the nessus security scanner. It seems to 
> find lots of false
> positives.
> 
> For instance, when I scan any IIS server I always get these errors:
> 
> Vulnerability found on port www (80/tcp)
> 
> The file /wwwboard/passwd.txt exists.
> 
> Vulnerability found on port www (80/tcp)
> 
>       The 'wrap' CGI is installed. This CGI allows
> anyone to get a listing for any directory with mode +755.
> 
> Vulnerability found on port www (80/tcp)
> 
> The 'windmail.exe' cgi is installed.
> 
> 
> Yet, doing a find for "*windmail*" on all drive comes up blank.
> 
> So, is this a false positive? hidden file? something inside IIS?
> 
> 
> -- 
> Minneapolis St. Paul Twin Cities MN        | Phone : (952)943-8700
> http://www.mn-linux.org Minnesota Linux    | Fax   : (952)943-8500
> Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9 
> 
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. 
> Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>