Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1482 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Every 5 minutes IPS warnings when synchronizing WSUS

StefanVerbose

Hello everybody,

Since 29-05 I am facing some issues regarding our WSUS server and the IPS on our Firewall SG 330 (probably after the May Cummulative update for Windows 2019). From the moment I am synchronizing the update catalog with Microsoft, the IPS in our firewall SG 330 is going crazy with the following warning:

2020-06-17 10:18:19 Daemon.Warning [firewall IP] device="SFW" date=2020-06-17 time=10:18:19 timezone="CEST" device_name="SG330" device_id=[device ID] log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=5 fw_rule_id=57 user_name="" signature_id=39466 signature_msg="FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt" classification="Attempted Denial of Service" rule_priority=2 src_ip=93.184.221.240 (unresolved)  src_country_code=GBR dst_ip=[local WSUS server]  dst_country_code=R1 protocol="TCP" src_port=80 dst_port=58792 platform="Windows" category="file-executable" target="Client"

Im getting the warnings with the following source IP's and domain names:

  • xxxx.deploy.static.akamaitechnologies.com)
  • xxxx.routit.net)
  • map2.hwcdn.net

And more. Mostly CDN's.

Already updated the patterns, WSUS on Windows Server 2019, Windows updates etc.

Has anyone already find a solution for this? Seems like false positives. I've read some threads like:

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/120586/ips-alert-every-5-minutes

and

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/120400/atp-alerts-every-4---8-mins

 

But so far no luck.

 

Ofcourse I can adjust the IPS policy, but it seems there's something else going on. I hope you guys can help me out.

 

Kind Regards,

Stefan



This thread was automatically locked due to age.
Parents
  • 0

    Not really false positive.
    ... but seems Microsoft uses servers for update services which also host malware ... that's the cloud ... really great
    compare the files-section from this page:

    https://otx.alienvault.com/indicator/ip/93.184.221.240

    Deactivating these messages or the pattern is more of a workaround.
    But seems the server is the problem ... not the updates.
    I would temporarily create an exception for this signature.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk,

     

    Thanks alot for your reply. Is it safe to deactivate the pattern? Or is it just a workaround to only let WSUS download the particular update, and then re-enable the pattern? 

    Unfortunately I dont know which particular update on that malicious server WSUS is trying to download, otherwise I could download it manually. Perhaps there is a way to find out?

    How is it even possible that Microsoft hosts files on the same servers where malicious content is stored also? Seems not so pretty.

  • 0 in reply to StefanVerbose

    i would exclude the pattern for 1-2 hours only... until WSUS is ready downloading the files.

    Possible within WSUS you see the failed update-downloads.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    dirkkotte said:
    Possible within WSUS you see the failed update-downloads.

    Didnt know there is a view where this can be seen. Anyhow, I managed to find 2 updates which where stuck downloading. I declined them and now no new IPS warnings are popping up.

    The updates were 'Update Rollup for Skype for Business Server 2015 (KB3061064)'

    Thanks for your help!

Reply
  • 0 in reply to dirkkotte

    dirkkotte said:
    Possible within WSUS you see the failed update-downloads.

    Didnt know there is a view where this can be seen. Anyhow, I managed to find 2 updates which where stuck downloading. I declined them and now no new IPS warnings are popping up.

    The updates were 'Update Rollup for Skype for Business Server 2015 (KB3061064)'

    Thanks for your help!

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?