We have identified this as an issue, and released the following SNS bulletin about it today. Please give it a read through and adjust the signature accordingly if needed. Also, we will be releasing a follow up sigset to address this issue sometime later today or tomorrow, so look for that on the download server. Thanks
The May 27 Signature Set releases (22.214.171.124|126.96.36.199|188.8.131.52) included protocol enhancements that may incorrectly identify the following signature — “SMTP: Microsoft Outlook Date Field Buffer Overflow – Attack ID 0x40405300.” No changes were made to the attack detection mechanism for this signature (1st released in Feb 2003).
The signature is enabled for monitoring by default, but is NOT enabled for blocking by default. If you have enabled blocking for this particular signature, you may see some SMTP traffic getting dropped by this signature.
1. Disable the signature. This will stop SMTP monitoring & blocking for this particular signature.
2. Roll back to signature sets 184.108.40.206|220.127.116.11|18.104.22.168 released on May 11, 2010 from NSM
3. Upload *Special* Signature Set release that will be available later on June 3, 2010 (US CDT)
McAfee will send a follow-up email when the *Special* Signature Set is available. For more information, please go to https://mysupport.mcafee.com, log in, and access KnowledgeBase article KB69033.
NOTE: NEXT SIGNATURE SET RELEASE
The next in-band Signature Set Release will be on Tuesday, June 8, 2010 (US CDT).
Many thanks. I also got the SNS notice on this, and have disabled the signature. I'll wait until next week's sig comes out and re-enable blocking on this attack then. Cheers, Kevin