Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 11612 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG310 IPS Flagging Some Adobe Files but XG125 Is Not - Same firmware / pattern updates / settings

AllanD

We are having trouble downloading some Adobe Acrobat files from one of our vendors.  The files are being flagged by the IPS system under the signature "Adobe Reader PDF Engine CVE-2017-3025 Memory Corruption Vulnerability".  It only is affecting about 10% of the files form their site.  But the issue is happening only on a XG310 in our main office and a XG125 in our sub office downloads the files with no issue. 

 

- Both XG's are running SFOS 16.05.6 MR-6  (happened on older firmware also, at least on MR2, 3, and 4).

- Both have automatic updated enabled for patterns and the IPS has a version of 3.13.80 and shows current.

- Both have our "Default Web Access Rule" setup identically with the built-in "LAN to WAN" IPS setting.

 

What would cause this?

 

As a example the vendor link is http://meus1.mylinkdrive.com/item/PAR-32MAA-J.html.  On that page the service manual "PAR-31MAA Technical Manual" downloads without issue but the submittal "PAR-32MAA-J Submittal" gets flagged with the vulnerability on the XG310.  Again on the XG125 the PDF downloads fine.

 

-Allan



This thread was automatically locked due to age.
Parents
  • 0

    Allan,

    the built-in IPS profile cannot be edit, so make sure both are using the same profile. If the signatures are the same, create a new IPS profile, remove the signature or create a new Firewall rule at the top of all of the other firewall rules (with no IPS appied) and open a ticket with support.

    Regards

Reply
  • 0

    Allan,

    the built-in IPS profile cannot be edit, so make sure both are using the same profile. If the signatures are the same, create a new IPS profile, remove the signature or create a new Firewall rule at the top of all of the other firewall rules (with no IPS appied) and open a ticket with support.

    Regards

Children
  • 0 in reply to lferrara

    Futhermore:

    On my XG (SW version) I am not able to download the PDF manual. Signature ID: 3310061

    Adobe Reader PDF Engine CVE-2017-3025 Memory Corruption Vulnerability.....

  • 0 in reply to lferrara

    Both the rule on the XG310 and XG125 are using the built in "LAN to WAN" IPS rule.   The fact I can download it through the 125 and not the 310 doesn't make sense although I'm glad you are getting it blocked on your end also.

     

    I added a web rule to their web servers IP address that isn't using IPS so our users can get what they need and I'll open up a support ticket.  Maybe Sophos can download the PDf and manually scan it on their end and see if it really does have that vulnerability and if it does I'll contact the vendor and if it doesn't they can figure out why it's being flagged.  Thanks for checking on your end.

     

    -Allan

  • 0 in reply to AllanD

    Probably will want to get support to look at it, its being dropped by IPS on both my XF home and also the XG210 at the office.