• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Vulnerability Scanning - Vuln ID 813116 - Microsoft Antimalware - False Positive


New Life Form
Running OSSIM 5.5.1.  When running a vulnerability scan against a Windows Server 2008 R SP1 host with System Center Endpoint Protection installed, the following vulnerabilities are identified and appear to be a false positives:
Microsoft Malware Protection Engine on Windows Defender Multiple Vulnerabilities - 811067
Microsoft Malware Protection Engine on Windows Defender RCE Vulnerability - Apr 2018 - 813116

The more recent of the two indicates the following detection criteria:

Installed version: 1.1.5605.0
Fixed version: 1.1.14700.5 or higher

When reviewing the config for this vulnerability (http://ww.hoodies-online.de/nasl.php?oid=813116), it appears to be checking the following registry entry:  HKLM:SOFTWARE\Microsoft\Windows Defender\Signature Updates\EngineVersion

Manually checking that registry value shows the version as:  1.1.14800.3

Has any one been able to determine why this fase positive is occuring or why the plugin is identifying the installed version as 1.1.5605.0?

Share post:


Sign In or Register to comment.