3 Replies Latest reply: Jun 24, 2014 7:24 AM by schmiewliski RSS

    strange issue regarding 6013 signature

    schmiewliski

      Hello all

       

      Have a very strange situation.. Have a normal ePO 5.1 install and have set-up a test environment.. exactly the same config and policies in place.. but in the test environment.. any apps that opened (e.g. acrobat, word, excel etc) on any device attached to the test environment triggers an intrusion alert on signature 6013.

       

      Any ideas where the issue could be... I have checked the cleint to make sure that the content file is the same as production and the policies are set the same which they are..

       

      Thanks in advanced

      Steve

        • 1. Re: strange issue regarding 6013 signature
          shakira

          Because the is a Buffer Overflow rule and we do not have the privilege to understand why those fire, you'll need an answer from McAfee. It would seem like something in your test environment is causing things to overflow, or some other strange interaction is going on.

           

           

          The rule itself simply looks for all "buffer overflows, bo:call_not_found" happening minus some exclusions:

           

          Rule {^M

                          Class "Buffer_Overflow"^M

                          Id "6013"^M

                          level 4^M

                          application {Include "*"}^M

                          Caller_Module {Exclude { -path "*\\ADOBE\\VDDJEGXL.DLL"} }^M

                          Caller_Module {Exclude { -path "*\\GRFBOJVQ.DLL"} }^M

                          Caller_Module {Exclude { -path "*\\GBPLUGIN\\*"} }^M

                          Caller_Module {Exclude { -path "*\\GBBD\\*"} }^M

                          Caller_Module {Exclude { -path "*\\*GBAS.DLL_U"} }^M

                          Caller_Module {Exclude { -path "*\\GBMZH_CEF.DLL"} }^M

                          Caller_Module {Exclude { -path "*\\NPGBFNC_CEF.DLL"} }^M

                  Caller_Module {Exclude { -path "*\\COMMONMODULE.DLL"} }^M

                          Caller_Module {Exclude { -path "*\\TOUCHENKEY.DLL"} }^M

                      Caller_Module {Exclude { -path "*\\INITECH\\SHTTP\\PLUGIN\\SHTTPS*.OCX"} }^M

                  Caller_Module {Exclude { -path "*\\CLTPE.DLL"} } ^M

                          Caller_Module {Exclude { -path "*\\XWEBCLT.DLL"} }^M

                  Caller_Module {Exclude { -path "*\\ISECUR*.OCX"} }^M

                          Caller_Module {Exclude { -path "*\\XWEBUTIL.DLL"} }^M

                          Caller_Module {Exclude { -path "*\\COLLINA.DLL"} }^M

                  target_bytes { Exclude {c8 5a 5a b5 66 0f a3 c7 83 ed 04 e9 eb 04 00 00-9c 8a 0c 24 e8 72 03 00 00 83 ed 02 89 54 24 04} }^M

                          target_bytes { Exclude {04 24 be c6 04 24 b3 8d 64 24 1c e9 14 bb f4 ff-60 c7 44 24 1c 1a ff ae 0b 9c c7 44 24 1c 90 fd} }^M

                          target_bytes { Exclude {e2 47 e2 0a ce fa 9e 3b ad 81 5c 50 f1 61 1b 57-66 0f bb e3 f8 f9 9c 89 c3 e8 76 67 f7 ff 55 81} }^M

                          target_bytes { Exclude {8d 92 46 0b 00 00 8b 12 52 8b 54 24 04 c2 04 00-c7 45 fc fe ff ff ff c7 45 fc 01 00 00 00 64 a1} }^M

                          target_bytes { Exclude {15 c2 bd 34 10 89 54 8d 08 e9 c9 94 02 00 83 c4-8d 4d f8 89 4c 24 fc 8d 64 24 fc e9 eb 94 02 00} }^M

                          attributes -no_trusted_apps -not_auditable^M

                          directives -c -d "bo:call_not_found"^M

                  }^M

          • 2. Re: strange issue regarding 6013 signature
            llamamecomoquieras

            Hi there,

             

            Since there is a BOF violation with VSE patch 4, it can be you facing the same issue for HIPS. Which Office version do you have?

             

            Please have a look at this document related with VSE 8.8 patch 4

             

            https://kc.mcafee.com/corporate/index?page=content&id=KB81308

             

            Regards,

            • 3. Re: strange issue regarding 6013 signature
              schmiewliski

              Sorry all for the late reply..  All sorted  now.. I found the issue .. we use a product called Verdasys for DLP.. I had to allow any exception for a dll as this calls the application exe..