topic Thanks guys. We've decided in Network Security

Problem with Signature Update 932

Charles Carmichael — Sun, 10 Mar 2019 13:39:50 GMT

Hey everyone. Signature update 932 was automatically applied to my IPS today at 12:16. At 12:17, I started to get a ton of Adobe Acrobat Reader Memory Corruption hits on signature 7615. I'm assuming this is a bug. Is anyone else experiencing the same thing? The alerts are continuing to roll in.

Hi.Everyone.

UBE_IPSinfo — Thu, 04 Aug 2016 00:26:19 GMT

Hi.Everyone.

I also you are experiencing this problem.
I would like to quickly answer.

SigId:7615

SubSigId:0

SigName: Adobe Acrobat Reader Memory Corruption

Yes, you are right 7615 is

ali.imran1 — Thu, 04 Aug 2016 12:01:42 GMT

Yes, you are right 7615 is generating too much false positives in our environment too.

We have retired this signature and i can bet that you are gonna see in the next signature update that CISCO is also going to retire it as well.

We have already experienced that the QA of IPS signatures at Cisco is really bad.

Thanks guys. We've decided

Charles Carmichael — Thu, 04 Aug 2016 12:19:11 GMT

Thanks guys. We've decided to disable this signature for right now. ali.imran1, I'm sure you're right regarding Cisco retiring it in the next update.

Same on our side. Many many

leandro10 — Thu, 04 Aug 2016 15:57:48 GMT

Same on our side. Many many alerts.

We also have been

gm-douglas — Thu, 04 Aug 2016 16:19:07 GMT

We also have been experiencing a huge number of alerts and the IPS was setup to shun the IP. This caused many sites to be unreachable. I set up a rule to not shun these alerts, but to drop the packet in line.

We also had some alerts from our own web server. We traced these alerts to the pdf that was being served and ran these pdf's threw www.VirusTotal.com, no virus was found in these pdf's. From our internal standpoint this is a false positive.

Douglas, run the pdf though

leandro10 — Thu, 04 Aug 2016 16:27:06 GMT

Douglas, run the pdf though this site.

It does a real time analysis of the file.

https://www.hybrid-analysis.com/

Let us know the results, it might help us validate the signature. VirusTotal is just based on reputation.

Can Cisco please confirm this

Joshua Schroth — Thu, 04 Aug 2016 18:10:56 GMT

Can Cisco please confirm this is a bug? We've also been getting slammed by this since the signature updates around midnight.

I'm assuming that users are

wgorman — Thu, 04 Aug 2016 19:36:33 GMT

I'm assuming that users are also experiencing issues with their Adobe Acrobat Readers because the packets are being dropped by the IPS.

Please fix or remove the sig.ID 7615/0 ....... ASAP, if you please.

-Will

The pdf's came up clean on

gm-douglas — Thu, 04 Aug 2016 21:27:49 GMT

The pdf's came up clean on that other site also. One of them was last modified in Aug of 2012. These are false positives.

Hi,EveryOne.

UBE_IPSinfo — Thu, 04 Aug 2016 23:22:18 GMT

Hi,EveryOne.

Last day, I was carried out the invalidation of the relevant signatures.
Also, S933 was released at 4:00(JST) .
Saw the release notes, it seems to be no correspondence of Cisco.

S933 did not fix the issue. I

Joshua Schroth — Fri, 05 Aug 2016 13:26:36 GMT

S933 did not fix the issue. I re-enabled that signature and it's still firing. Disabled the signature again until Cisco fixes this...

No update from Cisco yet? ok.

leandro10 — Mon, 08 Aug 2016 15:51:38 GMT

No update from Cisco yet? ok.

We are also receiving a high

CLCswagner — Mon, 08 Aug 2016 17:58:58 GMT

We are also receiving a high number of alerts for this signature, but only when users are trying to access an internal website that displays images. There are no PDFs involved.