IPS false-positive can block http download of windows executable

It has come to our attention that a specific intrusion prevention pattern which is normally used to detect .NET exploits is falsely detecting some windows executable downloads to be malicious. You are only affected if you have the IPS system active, if you enabled the category “Attacks against Client Software” -> “Browser (Internet Explorer, Mozilla)” and set this category to “drop”. All other customers are not affected by this issue. We have identified the pattern and are currently analyzing it. Once we are finished, we will run the fixed pattern set through our test procedures and expect to be releasing fixed ips patterns by tomorrow. Read below how to work arround this issue …

I am affected, what can i do? In order to bypass this rule, log in to WebAdmin and navigate to the “Advanced” tab of the Intrusion Prevention system. There you need to to add a new “rule modification” by clicking on the + sign.

ips_4.png

Than set the action “Alert” for rule “15306” like this:

ips_3.png

And save it, now it should look like this:

ips_2.png

That's it, now the download no longer gets blocked, yet all the .NET exploits will still be blocked.

Best regards,
Gert Hansen

READ MORE

You Can Learn More About the Astaro Internet Security Product Line By Going to www.FirewallShop.com/Astaro.

The original article/video can be found at IPS false-positive can block http download of windows executable

Leave a Reply