Our HIPS signature 6058 (SSL Heartbleed Unencrypted Attack) changed from "High" to "Informational" in either the May 27 or June 1 out of cycle content update. Is there any reason for this?
This was not mentioned in the release notes for either update, although in the May 27 update, it states this:
Due to a known issue (Refer Bug 969835)
Minimum content version for the Signatures
2851 and 6058
The Host IPS Content 220.127.116.1135 - Signature 6058 is set to 'High' severiry as the default setting. This has not been altered from previous content updates.
If you continue to have an issue, please contact McAfee Support so that we can proivde assistance. The most common reason for when signatures show a different severify level is that the Host IPS Content policy has been changed on your ePO Server which will override the McAfee Default Content setting of 'High'. Content signatures that have been Customized (changed from the default setting) take precedence over the default signature settings.
Yes, in 5735 this is indeed "high". Interestingly enough, it was modified to reduce false positives.
However, in 5660, this signature suddenly became "informational". I was looking at the McAfee Default policy, which is not subject to custom severity changes. In 5709, this signature was modified to reduce false positives, and also became a "high" once again. I'm trying to find out why there was a phantom severity change in 5660.Message was edited by: damageinc on 7/7/14 3:09:04 PM CDT