https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579825#M2796 <P>Tnx for your help. I'll start that process.&nbsp;</P> Fri, 08 Mar 2024 21:00:25 GMT Megawatt 2024-03-08T21:00:25Z https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579794#M2782 <P><SPAN class="t">Anyone else seeing the following alerts:<BR />tcp</SPAN><SPAN>,</SPAN><SPAN class="t">alert</SPAN><SPAN>,"</SPAN><SPAN class="t">gpt.ini</SPAN><SPAN>",</SPAN><SPAN class="t a"><SPAN class="t">Canonical</SPAN></SPAN> <SPAN class="t">ksmbd-tools</SPAN> <SPAN class="t">ksmbd.mountd</SPAN> <SPAN class="t">ndrwritebytes</SPAN> <SPAN class="t">Heap</SPAN> <SPAN class="t">Buffer</SPAN> <SPAN class="t">Overflow</SPAN> <SPAN class="t">Vulnerability</SPAN><SPAN>(</SPAN><SPAN class="t">94951</SPAN><SPAN>)</SPAN></P> <P>&nbsp;</P> <P><SPAN>But this is being detected in traffic between 2 Windows server, so it doesn't make sense. Seems to be a false positive. </SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 08 Mar 2024 14:01:19 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579794#M2782 Megawatt 2024-03-08T14:01:19Z https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579801#M2784 <P>Hello,</P> <P>&nbsp;</P> <P>I at least am not seeing this in our environment. Why does it being flagged between two servers lead to believe its a false positive?</P> <P>&nbsp;</P> <P>If you want to create an exception you can do so from this and specify the specific IPs for exception as opposed to changing the action for the entire ID.&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC" target="_blank">How to create a vulnerability exception - Knowledge Base - Palo Alto Networks</A></P> <P>&nbsp;</P> <P>Palo Vault of ID:&nbsp;<SPAN><A href="https://threatvault.paloaltonetworks.com/?query=94951&amp;type=" target="_blank">https://threatvault.paloaltonetworks.com/?query=94951&amp;type=</A></SPAN></P> Fri, 08 Mar 2024 15:55:35 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579801#M2784 Claw4609 2024-03-08T15:55:35Z https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579805#M2786 <P>Because the source and destination are both Windows servers. This detection relates to a vulnerability in a Linux module (related to SMB I believe).&nbsp;</P> Fri, 08 Mar 2024 17:01:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579805#M2786 Megawatt 2024-03-08T17:01:50Z https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579808#M2787 <P>Gotcha, would help if I read that closer. While it technically would be possible to run Ubuntu and those tools within a Windows server, it sounds like its probably a false positive. If thats the case you can submit a TAC case for them to look into the information and update the signature as needed.&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSBCA0" target="_blank">How to Submit a Vulnerability Signature False Positive - Knowledge Base - Palo Alto Networks</A></P> Fri, 08 Mar 2024 17:20:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579808#M2787 Claw4609 2024-03-08T17:20:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579825#M2796 <P>Tnx for your help. I'll start that process.&nbsp;</P> Fri, 08 Mar 2024 21:00:25 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579825#M2796 Megawatt 2024-03-08T21:00:25Z https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579856#M2800 <P> </P> <P>Well, it seems that PA released an updated detection for this in the latest release (see attached image). Fingers crossed that this resolves it. I'll circle back here if I no longer see detections.&nbsp;<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG_5853.jpeg" style="width: 320px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58182iE9C9980A95FDC485/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="IMG_5853.jpeg" alt="IMG_5853.jpeg" /></span></P> Sun, 10 Mar 2024 00:50:40 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/threat-detections-of-quot-canonical-ksmbd-tools-ksmbd-mountd/m-p/579856#M2800 Megawatt 2024-03-10T00:50:40Z