Microsoft Internet Explorer End Of Life Detection false positive

eric.scott · July 3, 2019, 12:50pm

OID: 1.3.6.1.4.1.25623.1.0.806657
Version: 2019-05-20T11:12:48+0000
OS: Windows Server 2012 R2

It appears to query the registry and use the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Version which returns a value of: 9.11.9600.19377

The Version value is prefixed with a 9 for backwards compatibility, but it does not indicate version 9 of IE.

Another string value is present in the key. svcVersion is 11.0.9600.19377. This should probably be used as the basis for the version detection.

We are using the source edition if that makes any difference.

emoss · July 4, 2019, 5:34am

Hi,
the VT checks if the registry key “HKLM\Software\Microsoft\Internet Explorer!svcVersion” exists and takes this value. If not present, it takes the “Version” item.

Btw.: the detection is done via VT “Microsoft Internet Explorer Version Detection (Windows)” (OID: 1.3.6.1.4.1.25623.1.0.800209).

Can you please tell me, which version (“Last Modified”) of the VT you are using and if both keys exist in your registry?

eric.scott · July 5, 2019, 2:33pm

Both keys exist in the registry.

I looked at the scan results for 1.3.6.1.4.1.25623.1.0.800209. The result is very strange. The server in question has multiple IP addresses. The scan results show the correct version from all of the IP addresses except 1 which is reporting the old version.

We run these scans monthly and this has not occurred in the past.

Here is the info for the NVT you listed:
Family: Product detection
OID: 1.3.6.1.4.1.25623.1.0.800209
Version: $Revision: 11086 $

eric.scott · July 5, 2019, 2:35pm

Sorry, I missed the modified date for the VT. It is: Thu Aug 23 06:43:53 2018.

cfi · July 16, 2019, 2:57pm

The most rational explanation to this behavior is that there was some issues (e.g. network connectivity) while gathering the version from HKLM\Software\Microsoft\Internet Explorer!svcVersion.

In this case the VT is falling back to gather the version from HKLM\Software\Microsoft\Internet Explorer!Version instead which holds the backwards compatibility version as you have noticed.

To avoid such situations the following VT:

was updated to try the svcVersion key once more in such situations. In addition the key where the version was gathered is now included in the detection report as well.

Those changes should arrive in the feed once the above VT has reached the version 2019-07-05T06:51:10+0000 and/or last modification date of 2019-07-05 06:51:10 +0000 (Fri, 05 Jul 2019).