1 Reply Latest reply on Dec 5, 2015 3:44 PM by exbrit

    Stonesoft IPS Positive with IEM update service

    ryanjohnstone

      We are trying to deploy IBM Endpoint Manager (IEM) but the update service it is using for downloading patches etc is causing our IPS to detect a vulnerability in this process and dropping the connection.  The IPS alert is shown below.  Has anyone come across this before with Stonesoft IPS & IEM and can advise if this is a false positive or something we need to be concerned about?  If we are confident this is a False Positive is there any way we can remove this check from the IPS for just this communication (i.e. source & destination) or does it need to be removed as a check in general.  Finally can someone point me to where we tweak the IPS signatures so this check can be removed if we decide to do this, ta.

       

      IPS Alert

      -------------

      The fingerprint File-Text_Scripting.FileSystemObject-ActiveX-Object-Local-File-Write has matched.

      An attempt to access the local disk using the Scripting.FileSystemObject ActiveX object was detected. This object allows a script to access local resources. Access is normally allowed only from pages loaded from trusted sources, but when using other vulnerabilities in conjunction with this object, an attacker may write arbitrary files to the filesystem.

      Source Host: 174.36.239.142
      Source Port: 80
      Destination Host: X.X.X.X (this is the private address of our IEM server)
      Destination Port: 47853

      Vulnerability:
      Local-System-Access-Via-ActiveX-Controls:
      Microsoft Windows allows access to local resources via several different ActiveX controls. Normally these controls can be accessed only from programs that have been started from the local machine. By using other vulnerabilities, these controls may be used from code in a web page or email message, allowing arbitrary code execution or local resource access in the context of the currently logged in user.