Showing results for 
Search instead for 
Did you mean: 

Stonesoft IPS Positive with IEM update service

We are trying to deploy IBM Endpoint Manager (IEM) but the update service it is using for downloading patches etc is causing our IPS to detect a vulnerability in this process and dropping the connection.  The IPS alert is shown below.  Has anyone come across this before with Stonesoft IPS & IEM and can advise if this is a false positive or something we need to be concerned about?  If we are confident this is a False Positive is there any way we can remove this check from the IPS for just this communication (i.e. source & destination) or does it need to be removed as a check in general.  Finally can someone point me to where we tweak the IPS signatures so this check can be removed if we decide to do this, ta.

IPS Alert


The fingerprint File-Text_Scripting.FileSystemObject-ActiveX-Object-Local-File-Write has matched.

An attempt to access the local disk using the Scripting.FileSystemObject ActiveX object was detected. This object allows a script to access local resources. Access is normally allowed only from pages loaded from trusted sources, but when using other vulnerabilities in conjunction with this object, an attacker may write arbitrary files to the filesystem.

Source Host:
Source Port: 80
Destination Host: X.X.X.X (this is the private address of our IEM server)
Destination Port: 47853

Microsoft Windows allows access to local resources via several different ActiveX controls. Normally these controls can be accessed only from programs that have been started from the local machine. By using other vulnerabilities, these controls may be used from code in a web page or email message, allowing arbitrary code execution or local resource access in the context of the currently logged in user.

0 Kudos
1 Reply
Level 21

Re: Stonesoft IPS Positive with IEM update service

Discussion provisionally moved from Security Awareness to Network Security Platform (NSP, NIPS, NAC, NTBA) for better support




0 Kudos