This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Every 5 minutes IPS warnings when synchronizing WSUS

Hello everybody,

Since 29-05 I am facing some issues regarding our WSUS server and the IPS on our Firewall SG 330 (probably after the May Cummulative update for Windows 2019). From the moment I am synchronizing the update catalog with Microsoft, the IPS in our firewall SG 330 is going crazy with the following warning:

2020-06-17 10:18:19 Daemon.Warning [firewall IP] device="SFW" date=2020-06-17 time=10:18:19 timezone="CEST" device_name="SG330" device_id=[device ID] log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=5 fw_rule_id=57 user_name="" signature_id=39466 signature_msg="FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt" classification="Attempted Denial of Service" rule_priority=2 src_ip=93.184.221.240 (unresolved)  src_country_code=GBR dst_ip=[local WSUS server]  dst_country_code=R1 protocol="TCP" src_port=80 dst_port=58792 platform="Windows" category="file-executable" target="Client"

Im getting the warnings with the following source IP's and domain names:

  • xxxx.deploy.static.akamaitechnologies.com)
  • xxxx.routit.net)
  • map2.hwcdn.net

And more. Mostly CDN's.

Already updated the patterns, WSUS on Windows Server 2019, Windows updates etc.

Has anyone already find a solution for this? Seems like false positives. I've read some threads like:

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/120586/ips-alert-every-5-minutes

and

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/120400/atp-alerts-every-4---8-mins

 

But so far no luck.

 

Ofcourse I can adjust the IPS policy, but it seems there's something else going on. I hope you guys can help me out.

 

Kind Regards,

Stefan



This thread was automatically locked due to age.
Parents
  • Not really false positive.
    ... but seems Microsoft uses servers for update services which also host malware ... that's the cloud ... really great
    compare the files-section from this page:

    https://otx.alienvault.com/indicator/ip/93.184.221.240

    Deactivating these messages or the pattern is more of a workaround.
    But seems the server is the problem ... not the updates.
    I would temporarily create an exception for this signature.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Dirk,

     

    Thanks alot for your reply. Is it safe to deactivate the pattern? Or is it just a workaround to only let WSUS download the particular update, and then re-enable the pattern? 

    Unfortunately I dont know which particular update on that malicious server WSUS is trying to download, otherwise I could download it manually. Perhaps there is a way to find out?

    How is it even possible that Microsoft hosts files on the same servers where malicious content is stored also? Seems not so pretty.

  • i would exclude the pattern for 1-2 hours only... until WSUS is ready downloading the files.

    Possible within WSUS you see the failed update-downloads.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • dirkkotte said:
    Possible within WSUS you see the failed update-downloads.

    Didnt know there is a view where this can be seen. Anyhow, I managed to find 2 updates which where stuck downloading. I declined them and now no new IPS warnings are popping up.

    The updates were 'Update Rollup for Skype for Business Server 2015 (KB3061064)'

    Thanks for your help!

Reply
  • dirkkotte said:
    Possible within WSUS you see the failed update-downloads.

    Didnt know there is a view where this can be seen. Anyhow, I managed to find 2 updates which where stuck downloading. I declined them and now no new IPS warnings are popping up.

    The updates were 'Update Rollup for Skype for Business Server 2015 (KB3061064)'

    Thanks for your help!

Children
No Data