cancel
Showing results for 
Search instead for 
Did you mean: 
damageinc
Level 7

HIPS Signature 6058 - Downgraded Severity in Recent Content Update?

Our HIPS signature 6058 (SSL Heartbleed Unencrypted Attack) changed from "High" to "Informational" in either the May 27 or June 1 out of cycle content update.  Is there any reason for this?

This was not mentioned in the release notes for either update, although in the May 27 update, it states this:

Note:

-

Due to a known issue (Refer Bug 969835)

Minimum content version for the Signatures

2851 and 6058

will

reflect 8.0.0.5660.

0 Kudos
4 Replies
damageinc
Level 7

Re: HIPS Signature 6058 - Downgraded Severity in Recent Content Update?

Anybody?

0 Kudos
fuzziest
Level 9

Re: HIPS Signature 6058 - Downgraded Severity in Recent Content Update?

I don't know.

0 Kudos
McAfee Employee

Re: HIPS Signature 6058 - Downgraded Severity in Recent Content Update?

The  Host IPS Content 8.0.0.5735 - Signature 6058 is set to 'High' severiry as the default setting.  This has not been altered from previous content updates.

If you continue to have an issue, please contact McAfee Support so that we can proivde assistance.  The most common reason for when signatures show a different severify level is that the Host IPS Content policy has been changed on your ePO Server which will override the McAfee Default Content setting of 'High'.  Content signatures that have been Customized (changed from the default setting)  take precedence over the default signature settings.

0 Kudos
damageinc
Level 7

Re: HIPS Signature 6058 - Downgraded Severity in Recent Content Update?

Yes, in 5735 this is indeed "high".  Interestingly enough, it was modified to reduce false positives.

However, in 5660, this signature suddenly became "informational".  I was looking at the McAfee Default policy, which is not subject to custom severity changes.  In 5709, this signature was modified to reduce false positives, and also became a "high" once again.  I'm trying to find out why there was a phantom severity change in 5660.

Message was edited by: damageinc on 7/7/14 3:09:04 PM CDT
0 Kudos