IPS Evader Testing Tool Update

Showing results for 
Search instead for 
Did you mean: 
We are conducting regularly scheduled maintenance over the weekend, which could cause some downtime on LIVEcommunity. We apologize for any inconvenience.

IPS Evader Testing Tool Update

Retired Member
Not applicable

At Palo Alto Networks, we are committed to the security of our customers. As part of this commitment, we take evasions of security very seriously. Building products that defeat such evasions remains central to our approach and has been one of our guiding principles as we enable our customers to overcome more widespread evasions. The reality as we see it, is that evasions happen every day, but often using unsanctioned applications, encryption applications, file sharing apps, and more. These evasion techniques are very easy for attackers to use and legacy security technologies are simply not equipped to handle them. We also recognize that there are complicated evasions, such as reversing the TCP handshake to bypass normal security measures. And while many of these evasions are made ineffective with modern operating systems, or are not accessible without first gaining a foothold inside the network, we take them seriously as well.


As part of ensuring that our products are able to block scans or evasion attempts, we are continually looking for new applications, evaluating various attack toolkits, maintaining an inventory of such testing tools, testing our devices with them, and performing additional third-party penetration tests.  One such tool among the many we use and that has been part of our testing for over 3 years is the McAfee/Stonesoft IPS Evader Tool.


It was recently brought to our attention that our devices were not stopping several layered evasions that allowed attacks to succeed over the SMB protocol. While these evasions would naturally be limited by policy limits on SMB itself and the obscurity of the layered evasion techniques, we took this very seriously. Once we understood the necessary reproduction information, we verified the findings and addressed the evasions through dynamic content update version 549-3088. This content release is now available and devices configured to perform scheduled content updates will download and install the update automatically. In addition to the content release, we have updated our best practices on securing the network from L4 and L7 evasions.


If you have any questions related to this issue or the content update process, please do not hesitate to reach out to our Support team.



The Palo Alto Networks product management team

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!