Hi all. I wonder why there are windows versions not in os_eol.inc like windows 7 sp1, windows server 2008, 2012, 2016. Is this intentional or just a mistake? Because I know windows 7 sp1 and 2008 are EOL.
thanks for bringing this to our attention. There are indeed quite a few missing entries which we are definitely going to add. However when it comes to Windows 7 and Windows Server 2008, these are covered by Microsoft’s extended support. We have yet to find a way to distinguish ESU systems from their regular, unsupported counterparts, otherwise this will lead to quite a lot false-positives.
Name: Microsoft Windows 7 / Server 2008 End Of Life Detection
OID: 1.3.6.1.4.1.25623.1.0.108956
Family: General
This VT is reporting a vulnerability but with a “remote_banner_unreliable” QoD (you can lower the QoD in your report to see the result) to avoid false positives because currently no detection of ESU enabled system is implemented.
This is actually expected, Windows Server 2012 and 2012 R2 are not end of life and are still receiving security updates in / via:
Also please keep in mind that:
EOL reporting is (at least currently) only a “byproduct” of vulnerability scanning, is only maintained “as time permits” and without any guarantee for completeness / SLA or similar
such systems can be also already identified in e.g. GSA via “Assets → Operating Systems” and by searching for e.g. cpe:/o:microsoft:windows_server_2012 there
But I think this case is similar to the case of Windows 7 and Windows Server 2008 above, right?
In case you won’t write a plugin for this, is it fine if we write our own plugin similar to “Microsoft Windows 7 / Server 2008 End Of Life Detection”, consider the correctness?
I’m not working on this topic anymore (remember, this thread is four years old) so unfortunately i can’t say something about this or any further plans.