Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2156 Views 6 Replies Latest reply: Dec 6, 2012 8:21 AM by HerbSmith RSS
HerbSmith Apprentice 92 posts since
Dec 9, 2009
Currently Being Moderated

Dec 5, 2012 2:25 PM

Buffer overflows Microsoft products.

I am preparing to move from HIPS 7 in basic protection to HIPS 8 P2.  I am planning on going to Enhanced protection.  I have about a dozen machines running now with Enhanced in Warn mode.  What I am seeing is a lot of buffer overflows, suspicious function, and other alerts from basic Microsoft products.  IEXPLORE.exe,  explorer.exe,  winlogon.exe and outlook.exe.  Today I even have Windows Activation setting off alerts.   Is it common for MS products to have a lot  of alerts that I need to tune for?   My biggest concern is that we have been compromised and I write exception rules for the compromise.

 

Thanks

 

Herb

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Dec 5, 2012 4:17 PM (in response to HerbSmith)
    Re: Buffer overflows Microsoft products.

    Some of these violations might be due to third party software (e.g., Iexplore.exe violations sometime occur due to 3rd party plugins and extensions).  Each violation should be analyzed to determine if an IPS exception is applicable (e.g., if an IPS violation occurs referencing an OS/software vulnerability that has or has not been patched).

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. Dec 5, 2012 4:33 PM (in response to HerbSmith)
    Re: Buffer overflows Microsoft products.

    Check this KB Herb.

     

    KB73399 - FAQs for Host Intrusion Prevention 8.0

    https://kc.mcafee.com/corporate/index?page=content&id=KB73399

     

    Sections

    Client IPS/FAQ - IPS Events
    Client Firewall/FAQ - FW Rules Assistance

  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    5. Dec 5, 2012 6:25 PM (in response to HerbSmith)
    Re: Buffer overflows Microsoft products.

    Forgive me for intruding into this thread, I usually stick to the Consumer section. But the question about HIPS and buffer overflows came up in this week's conference call, specifically in relation to Microsoft products.

     

    Intrusion Protection has recently been added to the Consumer products, and I understand that the code was copied over from the Corporate product (which here I take to be HIPS) without any changes.

     

    The default and recommended setting for Intrusion Protection in Consumer is Basic, and at that level there are very few Buffer OVerflow alerts. If, however, the level is set to High then these alerts occur very frequently, and usually in relation to Microsoft programs - Word, Excel, and Internet Explorer. Posters to the Consumer section have been asking about these alerts for several weeks, but until recently I had not seen one. Then I enabled Intrusion Protection. I saw six of these alerts for Internet Explorer within a few hours after setting the detection level to High; since resetting the level to Basic I have seen none.

     

    Certainly Microsoft have patched very many buffer overflow vulnerabilities in their code, and McAfee adds detection for each of these vulnerabilities as a precaution. Possibly the High setting is causing each detection of a potential (rather than actual) overflow to be flagged regardless of whether Microsoft has patched it or not.

     

    I don't know if any of that is helpful to you, but at least you're not alone in wondering why Intrusion Protection is so sensitive on the High setting that it produces some false positive alerts.


    Volunteer Moderator  Leeds, UK
    No PM's please

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points