This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS false positive alert: blocks Symantec AV defs.

Rule ID 17297 SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt.

This blocks Symantec Endpoint Protection Manager from retreiving updated definitions through Live Update for disseminating to client systems. This is a new rule delivered on Wednesday in u2d-ips-7-193.i686.rpm. I would venture a guess that this is a new "bad" rule. If you use Symantec Endpoint Protection, you'll want to disable this rule.

This thread was automatically locked due to age.

0 BAlfson over 15 years ago

I think the answer to that is a firm, "Maybe!" [;)]

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 jraley over 15 years ago

I just noticed this today when I was checking our Norton AV server and noticed it hasn't updated since Oct. 12. Looked for it in the IPS logs and found it pretty quick. I was coming here to post about it and searched first instead. Norton AV Corp Edition 10.2 is what we are using. Same Snort Rule was blocking it, 17297.
Cancel
Vote Up 0 Vote Down

Cancel
0 h3mp over 14 years ago

THis is stopping nod32 updates for me to, how to i disable the specific 17297 rule?

EDIT: Done it..
Cancel
Vote Up 0 Vote Down

Cancel