cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Stonesoft IPS Positive with IEM update service

We are trying to deploy IBM Endpoint Manager (IEM) but the update service it is using for downloading patches etc is causing our IPS to detect a vulnerability in this process and dropping the connection.  The IPS alert is shown below.  Has anyone come across this before with Stonesoft IPS & IEM and can advise if this is a false positive or something we need to be concerned about?  If we are confident this is a False Positive is there any way we can remove this check from the IPS for just this communication (i.e. source & destination) or does it need to be removed as a check in general.  Finally can someone point me to where we tweak the IPS signatures so this check can be removed if we decide to do this, ta.

IPS Alert

-------------

The fingerprint File-Text_Scripting.FileSystemObject-ActiveX-Object-Local-File-Write has matched.

An attempt to access the local disk using the Scripting.FileSystemObject ActiveX object was detected. This object allows a script to access local resources. Access is normally allowed only from pages loaded from trusted sources, but when using other vulnerabilities in conjunction with this object, an attacker may write arbitrary files to the filesystem.

Source Host: 174.36.239.142
Source Port: 80
Destination Host: X.X.X.X (this is the private address of our IEM server)
Destination Port: 47853

Vulnerability:
Local-System-Access-Via-ActiveX-Controls:
Microsoft Windows allows access to local resources via several different ActiveX controls. Normally these controls can be accessed only from programs that have been started from the local machine. By using other vulnerabilities, these controls may be used from code in a web page or email message, allowing arbitrary code execution or local resource access in the context of the currently logged in user.

1 Reply

Re: Stonesoft IPS Positive with IEM update service

Discussion provisionally moved from Security Awareness to Network Security Platform (NSP, NIPS, NAC, NTBA) for better support

---

Peter

Moderator

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community