Disabled Vulnerability Signatures in App+Threat Update 335

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Disabled Vulnerability Signatures in App+Threat Update 335

L1 Bithead

Can someone please explain why a high severity vulnerability signature has been disabled in update 335?

Does this mean that this vulnerability will no longer be detected?

What happens if we encounter this vulnerability, will it be allowed through?

The same question also about the disabled spyware signature in the update 335 as well.

1 accepted solution

Accepted Solutions

L3 Networker

In signature 335 there was only disabled vulnerability signature 30793 Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability.  This signature should no longer trigger as the signature is disabled.

The reasons behind this are:

1.  The signature is being reviewed for improvements

2.  The vulnerability does not exist anymore

View solution in original post

4 REPLIES 4

L3 Networker

In signature 335 there was only disabled vulnerability signature 30793 Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability.  This signature should no longer trigger as the signature is disabled.

The reasons behind this are:

1.  The signature is being reviewed for improvements

2.  The vulnerability does not exist anymore

Im a bit curious about "2.  The vulnerability does not exist anymore"...

Is PA thinking that there shouldnt be old clients out there or that the attack itself is no longer available like through metasploit etc?

These are reasons why they could be disabled, but yes if they believe it is no longer a threat or if it is combined in another signature that identifies it with better accuracy. Or if the application is obsolete.  If you feel this threat is still an issue and should be a part of the Palo Alto database please contact support and open a ticket for review.

Im a bit uncomfortible with signatures disappearing due to the application or threat being obsolete.

I totally agree if the signature is removed because it misfires (false-positives) or is taken care of by another signature (then perhaps the release notes should inform about this?) but I think its wrong when signatures are removed just because the threat might no longer be an issue.

I mean one of the points of using an IPS is to protect devices which cannot protect themselfs - otherwise we wont need IPS capabilities in the network.

Specially on the appliance side there are many devices which for one or another reason just cannot be updated to the latest version of the operating system or other softwares being runned on them.

  • 1 accepted solution
  • 3587 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!