Hello everybody,
Since 29-05 I am facing some issues regarding our WSUS server and the IPS on our Firewall SG 330 (probably after the May Cummulative update for Windows 2019). From the moment I am synchronizing the update catalog with Microsoft, the IPS in our firewall SG 330 is going crazy with the following warning:
2020-06-17 10:18:19 Daemon.Warning [firewall IP] device="SFW" date=2020-06-17 time=10:18:19 timezone="CEST" device_name="SG330" device_id=[device ID] log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=5 fw_rule_id=57 user_name="" signature_id=39466 signature_msg="FILE-EXECUTABLE Symantec Norton Security IDSvix86 out of bounds read attempt" classification="Attempted Denial of Service" rule_priority=2 src_ip=93.184.221.240 (unresolved) src_country_code=GBR dst_ip=[local WSUS server] dst_country_code=R1 protocol="TCP" src_port=80 dst_port=58792 platform="Windows" category="file-executable" target="Client"
Im getting the warnings with the following source IP's and domain names:
- xxxx.deploy.static.akamaitechnologies.com)
- xxxx.routit.net)
- map2.hwcdn.net
And more. Mostly CDN's.
Already updated the patterns, WSUS on Windows Server 2019, Windows updates etc.
Has anyone already find a solution for this? Seems like false positives. I've read some threads like:
and
But so far no luck.
Ofcourse I can adjust the IPS policy, but it seems there's something else going on. I hope you guys can help me out.
Kind Regards,
Stefan
This thread was automatically locked due to age.