Disabled Vulnerability Signatures in App+Threat Update 335

Reply
ERIKS
L1 Bithead

Disabled Vulnerability Signatures in App+Threat Update 335

Can someone please explain why a high severity vulnerability signature has been disabled in update 335?

Does this mean that this vulnerability will no longer be detected?

What happens if we encounter this vulnerability, will it be allowed through?

The same question also about the disabled spyware signature in the update 335 as well.


Accepted Solutions
nayubi
L3 Networker

In signature 335 there was only disabled vulnerability signature 30793 Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability.  This signature should no longer trigger as the signature is disabled.

The reasons behind this are:

1.  The signature is being reviewed for improvements

2.  The vulnerability does not exist anymore

View solution in original post


All Replies
nayubi
L3 Networker

In signature 335 there was only disabled vulnerability signature 30793 Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability.  This signature should no longer trigger as the signature is disabled.

The reasons behind this are:

1.  The signature is being reviewed for improvements

2.  The vulnerability does not exist anymore

View solution in original post

mikand
L6 Presenter

Im a bit curious about "2.  The vulnerability does not exist anymore"...

Is PA thinking that there shouldnt be old clients out there or that the attack itself is no longer available like through metasploit etc?

nayubi
L3 Networker

These are reasons why they could be disabled, but yes if they believe it is no longer a threat or if it is combined in another signature that identifies it with better accuracy. Or if the application is obsolete.  If you feel this threat is still an issue and should be a part of the Palo Alto database please contact support and open a ticket for review.

mikand
L6 Presenter

Im a bit uncomfortible with signatures disappearing due to the application or threat being obsolete.

I totally agree if the signature is removed because it misfires (false-positives) or is taken care of by another signature (then perhaps the release notes should inform about this?) but I think its wrong when signatures are removed just because the threat might no longer be an issue.

I mean one of the points of using an IPS is to protect devices which cannot protect themselfs - otherwise we wont need IPS capabilities in the network.

Specially on the appliance side there are many devices which for one or another reason just cannot be updated to the latest version of the operating system or other softwares being runned on them.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!