BlackICE Server Protection Content Update 3.6.crg - README ===================================================================== Last modified: 12 August 2008 © Copyright IBM Corporation 1998, 2008. All rights reserved worldwide. PLEASE READ THIS DOCUMENT IN ITS ENTIRETY. ===================================================================== CONTENTS ===================================================================== - Description - System requirements - Applying updates - Getting the latest related documentation - Customer Support - Known issues - New signatures added in this release --------------------------------------------------------------------- DESCRIPTION ===================================================================== This release contains 24 new event(s) and 22 new blocking response(s). SYSTEM REQUIREMENTS ===================================================================== Hardware: Pentium class computer. OS: Windows NT 4 (SP6, SP6a) Windows 2000 (SP1, SP2, SP3, SP4) Memory: Minimum: 16MB. Recommended: 64MB. Disk Space: A minimum of 10 MB. This includes 2.5 MB allocated for logging trace files. Other: System must be using Internet Explorer 5.0 or later. APPLYING UPDATES ===================================================================== Apply this update through the agent installation package GETTING THE LATEST RELATED DOCUMENTATION ===================================================================== Documentation for BlackICE Server Protection can be found at the following Web address: http://www.iss.net/support/documentation CUSTOMER SUPPORT ===================================================================== Support for this release is available by sending an email to: e-mail: support-l1@networkice.com and follow the support email guidelines on the web page: http://blackice.iss.net/customer_support.php When submitting a support request via e-mail, in the subject heading of your e-mail put the category of the issue you are experiencing and your license key. For example: QUESTION: f6MljWhIFRvbSCG/G3nSPAC000B23A You can use any one of the following categories: - CRASH : BlackICE is causing your system to crash or hang - QUESTION : ask a question - OPERATION : report an issue regarding one of BlackICE's functions or feature - NEW INSTALL : you are experiencing an install issue - UPDATE INSTALL : you are attempting to update your BlackICE installation and are experiencing difficulties doing so - FEATURE : to suggest features you would like to see in BlackICE - OTHER : to request support for an issue that doesn't fit any of the above categories Make sure to include the following files when requesting technical support: -attack-list.csv -blackd.log -blackd-old.log -blackice.ini -firewall.ini -sigs.ini -protect.ini -checksum.txt -filelock.txt -actlcl.txt -rapapp.log -rapapp-old.log -license.key To provide feedback on this readme, send an email to readme@iss.net KNOWN ISSUES ===================================================================== - Customers may see false positives with Excel_File_Import_Code_Exec. Profiling on the customers' traffic should be performed before enabling blocking. - XForce is investigating possible false alarms in HTML_URL_Unicode_Stack_Overflow. - WINS_UDP_Pointer_Code_Exec is known to have false positives in some network environments. Tune the signature as follows to help reduce the false positives: pam.WINS_UDP_Pointer_Code_Exec.limit=500 - The InstallShield installation of BlackICE Server Protection hangs at the end of the install on Windows XP SP1 and SP2. You may see the following error: An error occurred while launching the setup The remote procedure call failed In this case, you can use the Windows Task Manager to manually terminate the hung InstallShield process at the end of the install without any adverse affects. For more information, please see the following Knowledge Base article: https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3812 - When you update from 2.9 to 3.6, your preferences in the BlackICE Attacks and Intruders windows are not saved (i.e. the field and column width specifications). Also, your settings for the Preferences tab are not saved. Workaround: Please note your settings before updating your copy of BlackICE. - For WinNT 4: Under certain situations, the floppy drive is inaccessible when the agent is installed. Workaround: Add the following line to blackice.ini: starting.i=101 After saving and closing blackice.ini, stop and start the Blackice service in the service list. - Under rare conditions, BlackICE may not detect your computer's network adapter(s). This means that although your computer can communicate on the network, BlackICE fails to see the network traffic and as such fails to protect your system. Workaround: Add the following line to blackice.ini: adapter.override=enabled Save and close blackice.ini, then stop and start the BlackICE engine. - If you install BlackICE on a server that has been upgraded from Windows NT 4.0 Terminal Server to Windows 2000, you will encounter a red slash on the BlackICE systray icon. Additionally, an 'Installation Failure' event (ID 13) will be generated in the BlackICE UI. Workaround: Properly uninstall BackICE using Add/Remove Programs located under the Control Panel.From Add/Remove Programs, select Add New Programs, then select on CD or Floppy, select next, enter the path to the agent install executable or use Browse to locate it. Select Next and the standard BlackICE install will begin. Once it has completed, select next in the window you started the install in, and then click finish to complete the process. - When using the Communications Control in the Advanced Application Protection Settings to terminate or block network access of a trusted application and that application uses a secondary trusted application to access the Internet, the secondary application will not be terminated or blocked. Workaround: Use Applications Control and change the settings for the primary application from allow to terminate. The primary application will be terminated and cannot use the secondary application to access the Internet. - Using Terminal Server client on Win2K, the Application protection prompts only appear on the first user logged into the system if a unknown or modified application is launched by the second user. The workaround is to answer the Application protection prompts at the local station. - Under rare conditions the baseline does not complete properly due to a virtual memory error Workaround: Free up disk space on your computer and reboot the system so Windows can allocate the proper amount of virtual memory - When uninstalling on Windows 98 and Me, you may see one or more "Unknown Application" prompts referencing various InstallShield files such as isrt.dll and ikernel.exe. This may occur when uninstalling any application which uses InstallShield, not just BlackICE. As part of InstallShield's bootstrapping process, it unpacks and runs various files in a temporary directory. These files are not part of the file system baseline, so the Application Protection feature will trigger on them. The workaround is to put Application Protection into "Install Mode" using the button on the "Unknown Application" dialog. Or, just allow the triggered file to continue (do not terminate the file or your uninstall will also be terminated). - If you are having difficulties performing SCANDISK or DEFRAG, stop the BlackICE engine. When your computer is busy receiving network traffic, so is BlackICE Server Protection (busy, that is). As such, BlackICE Server Protection is also busy logging information to your disk. SCANDISK or DEFRAG may not finish when your disk drive is in use. - Under certain situations, you may see the RED slash across the system tray icon. These situations include: - You invoked BlackICE Engine/Stop BlackICE Engine. - The BlackICE engine is in startup delay. BlackICE Server Protection has determined that for some reason, the system was abruptly or unexpectedly shutdown in a prior computer session. - Your system has become busy to the point where the agent user interface is temporarily unable to communicate with the BlackICE engine. If this is the case, you will see the red slash for only a short period with no lapse in system protection from the BlackICE engine. - The BlackICE engine has terminated unexpectedly. - If a Terminal Services session is established when APM is active, the APM prompts will only be displayed in the local computer, not within the Terminal Services client. 1. New Security Content For 3.6.crg IssueID SecChkID ProductCheckName Event Type Risk Level ------- -------- -------------------------------------- --------------------------- ---------- 2114121 28650 Pict_Office_Filter_Overflow Unauthorized Access Attempt High 2124006 33744 HTTP_Groupwise_WebAccess_GWinter_Bo Unauthorized Access Attempt High 2124008 34016 HTTP_Tivoli_Rembo_Bo Unauthorized Access Attempt High 2122038 34445 JSON_Hijacking Suspicious Activity Low 2114117 35357 SMIL_QuickTime_Overflow Unauthorized Access Attempt High 2124009 36937 XML_QuickTime_QTL_Code_Execution Unauthorized Access Attempt High 2114116 38279 Pict_UncompressedQuickTime_Underflow Unauthorized Access Attempt High 2114118 38280 Pict_PackBitsRgn_Underflow Unauthorized Access Attempt High 2114119 38281 Pict_Poly_Underflow Unauthorized Access Attempt High 2125000 39158 HTTP_Apache_Trailing_Slash Suspicious Activity Low 2124005 40768 Novell_iPrint_ActiveX_Bo Unauthorized Access Attempt High 2106304 40927 SIP_Unregistered_Endpoint_Invite Protocol Signature Low 2101039 41607 QuickTime_CRGN_Overflow Unauthorized Access Attempt High 2101040 41613 QuickTime_OBJI_Overflow Unauthorized Access Attempt High 2124012 42676 HTML_Messenger_Information_Disclosure Unauthorized Access Attempt Medium 2101042 43334 DNS_Cache_Poison_Subdomain_Attack Protocol Signature Medium 2114120 43352 Pict_Office_Filter_Underflow Unauthorized Access Attempt High 3124001 43586 SAMETIME_Login Protocol Signature Low 3114014 43721 Pict_Detected Protocol Signature Low 2114115 43722 Pict_Malformed Suspicious Activity Low 2124011 44084 Image_EMF_MSCMS_Heap_Overflow Unauthorized Access Attempt High 2125001 44095 HTTP_IE_Object_Access_Code_Execution Unauthorized Access Attempt High 2101041 44146 FTP_Cisco_IOS_MKD_BO Unauthorized Access Attempt High 3120018 44154 SIP_Message_Detected Suspicious Activity Low 2. Security Content Improvements in 3.6.crg --------------------------------------------------------------- - Fixed a false positive in Skype_Detected. - Fixed a false positive in Email_Exchange_Mime_Decoding when a base64 attachment contained multiple blank lines. - Fixed a false positive in HTML_URI_Unicode_Stack_Overflow. - Fixed a false positive in UPnP_Request_Overflow. - Fixed a false positive in MDB_Jet_Engine_Stack_Overflow. - Fixed a false positive in Multimedia_File_Overflow related to anomalous sections within SWF files. - Fixed a false positive in JavaScript_Unescape_Regex. - Fixed a false positive in DNS_DNSSEC_Type_Mismatch by adding better correlation between RRSIG records and answer resource records. - Fixed a false positive in MOV_Container_Overflow within the user data (udta) container. - Fixed false positives in HTTPS_Apache_ClearText_DoS and HTTP_Tunnel_Not_TLS_or_SSL for the case involving failed CONNECT requests to proxy servers. - Fixed false negatives in SQL_Injection and Shell_Command_Injection related to esoteric forms of argument processing by some CGI applications. - Fixed a false negative in Informix_Username_Overflow and Informix_Long_Username_Overflow when the Informix server is running on a non-default port. - Updated Shell_Command_Injection detection with stricter semantics for the data flagged as possible shell code commands. - Fixed an error in SQL_Injection which was inadvertently using the score limit value of Shell_Command_Injection. - Added a new tuning parameter (pam.injection.param.ignore.) that allows you to disable SQL_Injection and Shell_Command_Injection events for one or more CGI name=value pairs. See the help information for this tuning parameter for further configuration details. - Fixed a PAM internal error induced when the HTTP parser evaluated a request containing a specific URL. - Fixed pam.http.report.request.header and pam.http.report.response.header advanced tuning parameters so that the HTTP header field value is reported for every attack if available. See the help information for this tuning parameter for further configuration details. - Corrected the victim and intruder addresses for all HTTP response events. The addresses now match the source and destination address tuples. - Added a tuning parameter (pam.dns_cache_poison.report.interval, default=2 secs) to DNS_Cache_Poison and DNS_Cache_Poison_Subdomain_Attack to limit reports/sec. - Added PAM_PacketError Blocking and a tuning parameter (pam.dns_cache_poison.drop, default=true) to DNS_Cache_Poison and DNS_Cache_Poison_Subdomain_Attack. - Changed the default value for the pam.dns_cache_poison.answer.limit tuning parameter to a higher value of 40 to avoid false positives for DNS_Cache_Poison. This change is possible with the release of DNS_Cache_Poison_Subdomain_Attack, which detects groups of smaller DNS attacks not efficiently detected by DNS_Cache_Poison. - Updated HTML_IE_ActiveX_Loader_Heap_Corruption to cover additional vulnerabilities. - Enhanced Nmap_OS_Fingerprint to more accurately detect newer versions of NMAP starting with 4.2. - Enhanced the efficiency of the HTTP coalescer to decrease the number of events displayed in the management console. 3. Event Blocking Notes --------------------------------------------------------------- 3.1 Blocking was added for the following events: SecChkID ProductCheckName ------------------------------ 36723 SMTP_Ipswitch_IMail_Mime_BO 36811 NNTP_Outlook_Reply_Overflow 36919 XFS_Query_Range_Integer_Overflow 36920 XFS_Query_Range_Swap_Overflow 37373 Applix_Words_Document_Overflow 37374 Applix_Graphics_Document_Overflow 38643 HTML_Mozilla_XBL_Exec 38645 BIFF_Lotus_123_FileViewer_BO 38965 SMB_Samba_Mailslot_Logon_BO 39554 JavaScript_Gateway_DoWebLaunch 39601 HTTP_QuickTime_RTSP_Response_BO 39697 QuickTime_Image_Description_Code_Execut 40056 MS_Encoded_Script_Overflow 40062 XML_WebDAV_MiniRedirector_BO 40088 HTML_IE_Rendering_Combination_Corruptio 40090 HTML_IE_ARG_Code_Exec 40431 MSRPC_Spoolss_EnumPrinters_Bo 40816 HTTP_MayDay_Request 40838 JavaScript_RisingScanner_UpdateEngine 40844 JavaScript_Quantum_UploadLogs_Bo 40891 HTTP_TrendMicro_Officescan_BO 43334 DNS_Cache_Poison_Subdomain_Attack 3.2 Blocking was removed for the following events: SecChkID ProductCheckName ------------------------------- 4. Other Updates --------------------------------------------------------------- 5. Other Bug Fixes --------------------------------------------------------------- ===================================================================== =====================================================================