topic Re: Disabled Vulnerability Signatures in App+Threat Update 335 in General Topics

Disabled Vulnerability Signatures in App+Threat Update 335

ERIKS — Wed, 24 Oct 2012 08:50:51 GMT

Can someone please explain why a high severity vulnerability signature has been disabled in update 335?

Does this mean that this vulnerability will no longer be detected?

What happens if we encounter this vulnerability, will it be allowed through?

The same question also about the disabled spyware signature in the update 335 as well.

Re: Disabled Vulnerability Signatures in App+Threat Update 335

nayubi — Mon, 29 Oct 2012 21:32:29 GMT

In signature 335 there was only disabled vulnerability signature 30793 Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability. This signature should no longer trigger as the signature is disabled.

The reasons behind this are:

1. The signature is being reviewed for improvements

2. The vulnerability does not exist anymore

Re: Disabled Vulnerability Signatures in App+Threat Update 335

mikand — Tue, 30 Oct 2012 06:42:51 GMT

Im a bit curious about "2. The vulnerability does not exist anymore"...

Is PA thinking that there shouldnt be old clients out there or that the attack itself is no longer available like through metasploit etc?

Re: Disabled Vulnerability Signatures in App+Threat Update 335

nayubi — Tue, 30 Oct 2012 18:31:31 GMT

These are reasons why they could be disabled, but yes if they believe it is no longer a threat or if it is combined in another signature that identifies it with better accuracy. Or if the application is obsolete. If you feel this threat is still an issue and should be a part of the Palo Alto database please contact support and open a ticket for review.

Re: Disabled Vulnerability Signatures in App+Threat Update 335

mikand — Tue, 30 Oct 2012 19:00:51 GMT

Im a bit uncomfortible with signatures disappearing due to the application or threat being obsolete.

I totally agree if the signature is removed because it misfires (false-positives) or is taken care of by another signature (then perhaps the release notes should inform about this?) but I think its wrong when signatures are removed just because the threat might no longer be an issue.

I mean one of the points of using an IPS is to protect devices which cannot protect themselfs - otherwise we wont need IPS capabilities in the network.

Specially on the appliance side there are many devices which for one or another reason just cannot be updated to the latest version of the operating system or other softwares being runned on them.