Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 11612 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG310 IPS Flagging Some Adobe Files but XG125 Is Not - Same firmware / pattern updates / settings

AllanD

We are having trouble downloading some Adobe Acrobat files from one of our vendors.  The files are being flagged by the IPS system under the signature "Adobe Reader PDF Engine CVE-2017-3025 Memory Corruption Vulnerability".  It only is affecting about 10% of the files form their site.  But the issue is happening only on a XG310 in our main office and a XG125 in our sub office downloads the files with no issue. 

 

- Both XG's are running SFOS 16.05.6 MR-6  (happened on older firmware also, at least on MR2, 3, and 4).

- Both have automatic updated enabled for patterns and the IPS has a version of 3.13.80 and shows current.

- Both have our "Default Web Access Rule" setup identically with the built-in "LAN to WAN" IPS setting.

 

What would cause this?

 

As a example the vendor link is http://meus1.mylinkdrive.com/item/PAR-32MAA-J.html.  On that page the service manual "PAR-31MAA Technical Manual" downloads without issue but the submittal "PAR-32MAA-J Submittal" gets flagged with the vulnerability on the XG310.  Again on the XG125 the PDF downloads fine.

 

-Allan



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to GaryBrown

    Not really.  They said the Adobe files "probably" have the vulnerability and that IPS seems to be working correctly.  So we have three options:

     

    1) Have the vendor recreate the PDF's with a newer version of Adobe

    2) Use HTTPS on their site (this is a non-answer since all it does is bypass the IPS scan)

    3) White list the vendor site

     

    After talking to the vendor they said they will request the PDF's be recreate but it will take a while (hundreds).  So we gave up and whitelisted the domain.

     

    -Allan