0 Replies Latest reply on Jul 29, 2015 3:45 PM by McDuff

    HIPS Event 2846 Occuring on Active X Control with Kill Bit Already Set




      We're noticing the following HIPS event occurs regularly on the same PC:


      Event ID 18000

      Threat Names: 2846

      Event Category:  Host intrusion (hip.Illegal_API_Use)

      Event Description:  Host intrusion detected and handled

      Threat source process name:  C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

      Threat Type:  bad_parameter

      Action Taken:  Blocked

      Threat Severity:  Critical

      APIName:  CompatFlagsFromclsid

      Vulnerability Name:  Vulnerable ActiveX Control Loading A

      Parameter passed to API is 19916E01-B44E-4E31-94A4-4696DF46157B


      We have confirmed  workstation already has the patch ms13-090 https://support.microsoft.com/en-us/kb/2900986 which is supposed to put in the kill bit for this particular Active X control so we're wondering if somebody could shed some light into why this event occurring.  Is HIPS picking it up before the kill bit is recognized?


      Thanks for your help!