Intrusion Prevention Blocked Office 365 Attachments

 Hey Matt,

I had a client just encountered the same problem and I managed to fixed it by creating a new IPS policy allowing ALL packets instead of using the Sophos' default policy.

I just checked IPS signature has been updated last night.

Also my client's XG330 is still running on v16.05.01 with trail license but has been expired for 2 weeks. I originally suspected the issue is due to expired IPS module not functioning correctly but now I see your thread I am suspecting the latest IPS signatures are messing things up.

Has your issue been fixed yet? How did you do it?

po  

Hi Po,

Glad I'm not the only one - The IPS signature was updated early this morning.

Really weird that we got the issue in the middle of the day.

I haven't resolved it, I just changed IPS to None on our firewall rule until I can get to the bottom of it.

I will follow your suggestion and create a new IPS policy and update this thread if I find out anything more.

Thanks,

Matt

Hi,

I think that Outlook uses a Untrusted certificate, so Sophos blocks.

Its wreid, but it's the only way that sounds possible for me.

Regards

Hi,

same thing here, Cyberoam Firmware and Sophos Firmware appliances are dropping  

connections to Exchange Online with the IPS signature: "SERVER-WEBAPP SSLv2 OpenSSl KEY_ARG buffer overflow attempt".

Does anyone reported this issue to Sophos?

Regards

Hi,

same thing here, Cyberoam Firmware and Sophos Firmware appliances are dropping  

connections to Exchange Online with the IPS signature: "SERVER-WEBAPP SSLv2 OpenSSl KEY_ARG buffer overflow attempt".

Does anyone reported this issue to Sophos?

Regards

Guys, my current workaround is creating another IPS policy to allow all packets for "SERVER-WEBAPP SSLv2 OpenSSl KEY_ARG buffer overflow attempt" and the issue disappeared right away.

Thanks Ecompo

I try and I discovered another singularity. I have already into IPS Policy a copy of the original to allow others 2 exceptions but inside that rule  I didn't find "SERVER-WEBAPP SSLv2 OpenSSl KEY_ARG buffer overflow attempt signatue".

Only inside the original  "migrate_def_filter_1" i can find the signature SERVER-WEBAPP SSLv2 OpenSSl KEY_ARG buffer overflow attempt.

So seems that this fantastic signature was added yestarday or today by the last pattern update.

I opened a ticket.

By the way I discovered that the same DROP action also is replicated  to others IP's not only those regarding Office 365.

Last, this fantastic signature what F... CVE resolve ?

Hi All, 

We are currently investigating the issue on our end to verify if it's indeed a False-Positive or a Vulnerability, thank you for your patience.

I agree that is a way to resolve it temporary, because this signature must exist for some reason.

The possible solutions we all may think:

- Disable  the IPS Policy for the affected rule (Riskiest but fastest)

- New IPS Policy excluding the specific signature 

- New Rule for Office365 destinations (https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)

PS: I didn't have any reply yet to my ticket (I opened it 2 and 1/2 hours before)

regards,

Ignatios

As I am informed through the ticket, updating to the latest IPS patterns the issue resolves.

Confirmed, the signature no more exists to the IPS signatures.