Missing Windows version in "OS End Of Life Detection"

Hi all. I wonder why there are windows versions not in os_eol.inc like windows 7 sp1, windows server 2008, 2012, 2016. Is this intentional or just a mistake? Because I know windows 7 sp1 and 2008 are EOL.

https://support.microsoft.com/en-us/lifecycle/search?alpha=Windows%207
https://support.microsoft.com/en-us/lifecycle/search?alpha=Windows%202008

Hi,

thanks for bringing this to our attention. There are indeed quite a few missing entries which we are definitely going to add. However when it comes to Windows 7 and Windows Server 2008, these are covered by Microsoft’s extended support. We have yet to find a way to distinguish ESU systems from their regular, unsupported counterparts, otherwise this will lead to quite a lot false-positives.

Regards

5 Likes

As a follow up because the same question was asked today in https://community.greenbone.net/t/windows-2008-server-eol-detection/8843:

There is the following VT since quite some time:

Name: Microsoft Windows 7 / Server 2008 End Of Life Detection
OID: 1.3.6.1.4.1.25623.1.0.108956
Family: General

This VT is reporting a vulnerability but with a “remote_banner_unreliable” QoD (you can lower the QoD in your report to see the result) to avoid false positives because currently no detection of ESU enabled system is implemented.

2 Likes

Hi @cfi @_ad, Windows Server 2012 and 2012 R2 have reached end of support since Oct 2023 but it is not reported by the scanner. Could you take a look?

This is actually expected, Windows Server 2012 and 2012 R2 are not end of life and are still receiving security updates in / via:

Also please keep in mind that:

  1. EOL reporting is (at least currently) only a “byproduct” of vulnerability scanning, is only maintained “as time permits” and without any guarantee for completeness / SLA or similar
  2. such systems can be also already identified in e.g. GSA via “Assets → Operating Systems” and by searching for e.g. cpe:/o:microsoft:windows_server_2012 there
3 Likes

Hi @cfi,

But I think this case is similar to the case of Windows 7 and Windows Server 2008 above, right?

In case you won’t write a plugin for this, is it fine if we write our own plugin similar to “Microsoft Windows 7 / Server 2008 End Of Life Detection”, consider the correctness?

I’m not working on this topic anymore (remember, this thread is four years old) so unfortunately i can’t say something about this or any further plans.

1 Like