10-24-2012 01:50 AM
Can someone please explain why a high severity vulnerability signature has been disabled in update 335?
Does this mean that this vulnerability will no longer be detected?
What happens if we encounter this vulnerability, will it be allowed through?
The same question also about the disabled spyware signature in the update 335 as well.
10-29-2012 02:32 PM
In signature 335 there was only disabled vulnerability signature 30793 Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability. This signature should no longer trigger as the signature is disabled.
The reasons behind this are:
1. The signature is being reviewed for improvements
2. The vulnerability does not exist anymore
10-29-2012 02:32 PM
In signature 335 there was only disabled vulnerability signature 30793 Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability. This signature should no longer trigger as the signature is disabled.
The reasons behind this are:
1. The signature is being reviewed for improvements
2. The vulnerability does not exist anymore
10-29-2012 11:42 PM
Im a bit curious about "2. The vulnerability does not exist anymore"...
Is PA thinking that there shouldnt be old clients out there or that the attack itself is no longer available like through metasploit etc?
10-30-2012 11:31 AM
These are reasons why they could be disabled, but yes if they believe it is no longer a threat or if it is combined in another signature that identifies it with better accuracy. Or if the application is obsolete. If you feel this threat is still an issue and should be a part of the Palo Alto database please contact support and open a ticket for review.
10-30-2012 12:00 PM
Im a bit uncomfortible with signatures disappearing due to the application or threat being obsolete.
I totally agree if the signature is removed because it misfires (false-positives) or is taken care of by another signature (then perhaps the release notes should inform about this?) but I think its wrong when signatures are removed just because the threat might no longer be an issue.
I mean one of the points of using an IPS is to protect devices which cannot protect themselfs - otherwise we wont need IPS capabilities in the network.
Specially on the appliance side there are many devices which for one or another reason just cannot be updated to the latest version of the operating system or other softwares being runned on them.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
