This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS false positive alert: blocks Symantec AV defs.

Rule ID 17297 SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt.

This blocks Symantec Endpoint Protection Manager from retreiving updated definitions through Live Update for disseminating to client systems. This is a new rule delivered on Wednesday in u2d-ips-7-193.i686.rpm. I would venture a guess that this is a new "bad" rule. If you use Symantec Endpoint Protection, you'll want to disable this rule.

This thread was automatically locked due to age.

Parents

0 Soong over 14 years ago

This rule began blocking normal virus definition updates for my Eset NOD32 anti-virus clients on October 13, at around 10am PST.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 14 years ago in reply to Soong

This rule began blocking normal virus definition updates for my Eset NOD32 anti-virus clients on October 13, at around 10am PST.

Just curious, what version of ESET are you running? I have 1 small business customer that is running Eset, and their updates do not trigger this rule -- they are running a slightly older version of Eset though. I have seen some (but not all) customers affected that run Symantec AV though. I have to say this rule should probably be removed from the distributed ruleset.
Cancel
Vote Up 0 Vote Down

Cancel
0 Soong over 14 years ago in reply to BrucekConvergent

Version 3.0.695.0
Cancel
Vote Up 0 Vote Down

Cancel
0 c.d.burt over 14 years ago in reply to Soong

I too am having the issue. Can't receive updates and IPS registers 240 hits for the same rule id. ASG 8.002 with rule id 17297 "SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt". I use ESET NOD32 4 for all my pcs.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 14 years ago in reply to c.d.burt

Just disable rule 17297.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BrucekConvergent over 14 years ago in reply to c.d.burt

Just disable rule 17297.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Soong over 14 years ago in reply to BrucekConvergent

Just disable rule 17297.

Yes, thanks. I think most people having this problem probably came up with that solution on their own. I think the question is more along these lines:

Which of the following will happen?
A) Astaro will modify the rule in such a way to prevent false positives.
B) Anybody who experiences the problem of false positives have to disable the rule from now and forever?
Cancel
Vote Up 0 Vote Down

Cancel