Hi.Everyone.

Charles Carmichael · ‎08-03-2016

Hey everyone. Signature update 932 was automatically applied to my IPS today at 12:16. At 12:17, I started to get a ton of Adobe Acrobat Reader Memory Corruption hits on signature 7615. I'm assuming this is a bug. Is anyone else experiencing the same thing? The alerts are continuing to roll in.

UBE_IPSinfo · ‎08-03-2016

Hi.Everyone.

I also you are experiencing this problem.
I would like to quickly answer.

SigId:7615

SubSigId:0

SigName: Adobe Acrobat Reader Memory Corruption

Charles Carmichael · ‎08-04-2016

Thanks guys. We've decided to disable this signature for right now. ali.imran1, I'm sure you're right regarding Cisco retiring it in the next update.

ali.imran1 · ‎08-04-2016

Yes, you are right 7615 is generating too much false positives in our environment too.

We have retired this signature and i can bet that you are gonna see in the next signature update that CISCO is also going to retire it as well.

We have already experienced that the QA of IPS signatures at Cisco is really bad.

Joshua Schroth · ‎08-04-2016

Can Cisco please confirm this is a bug? We've also been getting slammed by this since the signature updates around midnight.

leandro10 · ‎08-04-2016

Same on our side. Many many alerts.

gm-douglas · ‎08-04-2016

We also have been experiencing a huge number of alerts and the IPS was setup to shun the IP. This caused many sites to be unreachable. I set up a rule to not shun these alerts, but to drop the packet in line.

We also had some alerts from our own web server. We traced these alerts to the pdf that was being served and ran these pdf's threw www.VirusTotal.com, no virus was found in these pdf's. From our internal standpoint this is a false positive.

leandro10 · ‎08-04-2016

Douglas, run the pdf though this site.

It does a real time analysis of the file.

https://www.hybrid-analysis.com/

Let us know the results, it might help us validate the signature. VirusTotal is just based on reputation.

gm-douglas · ‎08-04-2016

The pdf's came up clean on that other site also. One of them was last modified in Aug of 2012. These are false positives.

wgorman · ‎08-04-2016

I'm assuming that users are also experiencing issues with their Adobe Acrobat Readers because the packets are being dropped by the IPS.

Please fix or remove the sig.ID 7615/0 ....... ASAP, if you please.

-Will

UBE_IPSinfo · ‎08-04-2016

Hi,EveryOne.

Last day, I was carried out the invalidation of the relevant signatures.
Also, S933 was released at 4:00(JST) .
Saw the release notes, it seems to be no correspondence of Cisco.

Joshua Schroth · ‎08-05-2016

S933 did not fix the issue. I re-enabled that signature and it's still firing. Disabled the signature again until Cisco fixes this...

leandro10 · ‎08-08-2016

No update from Cisco yet? ok.

CLCswagner · ‎08-08-2016

We are also receiving a high number of alerts for this signature, but only when users are trying to access an internal website that displays images. There are no PDFs involved.

Problem with Signature Update 932