BlackICE PC Protection Content Update 3.6.crg - README ===================================================================== Last modified: 12 August 2008 © Copyright IBM Corporation 1998, 2008. All rights reserved worldwide. PLEASE READ THIS DOCUMENT IN ITS ENTIRETY. ===================================================================== CONTENTS ===================================================================== - Description - System requirements - Applying updates - Getting the latest related documentation - Customer Support - Known issues - New signatures added in this release --------------------------------------------------------------------- DESCRIPTION ===================================================================== This release contains 24 new event(s) and 22 new blocking response(s). SYSTEM REQUIREMENTS ===================================================================== - Hardware: Pentium class computer. - OS: Windows 98 (retail, SP1, Second Edition) Windows NT 4 (SP6, SP6a) Windows 2000 (SP1, SP2, SP3, SP4) Windows ME Windows XP Pro (SP1) / Home (SP1) Windows XP Pro (SP2) / Home (SP2) - Memory: Minimum: 16MB Recommended: 64MB - Disk space: A minimum of 10MB. This includes 2.5 MB allocated for logging trace files. - Other: System must be using the following: - Internet Explorer 5.0 or later. APPLYING UPDATES ===================================================================== Apply this update through the agent installation package GETTING THE LATEST RELATED DOCUMENTATION ===================================================================== Documentation for BlackICE PC Protection can be found at the following Web address: http://www.iss.net/support/documentation CUSTOMER SUPPORT ===================================================================== Support for this release is available by sending an email to: e-mail: support-l1@networkice.com and follow the support email guidelines on the web page: http://blackice.iss.net/customer_support.php When submitting a support request via e-mail, in the subject heading of your e-mail put the category of the issue you are experiencing and your license key. For example: QUESTION: 0123456-RS-12345 You can use any one of the following categories: - CRASH : BlackICE is causing your system to crash or hang - QUESTION : ask a question - OPERATION : report an issue regarding one of BlackICE's functions or feature - NEW INSTALL : you are experiencing an install issue - UPDATE INSTALL: you are attempting to update your BlackICE installation and are experiencing difficulties doing so - FEATURE : to suggest features you would like to see in BlackICE - OTHER : to request support for an issue that doesn't fit any of the above categories Make sure to include the following files when requesting technical support: -attack-list.csv -blackd.log -blackd-old.log -blackice.ini -firewall.ini -sigs.ini -protect.ini -checksum.txt -actlcl.txt -filelock.txt -rapapp.log -rapapp-old.log -license.key To provide feedback on this readme, send an email to readme@iss.net KNOWN ISSUES ===================================================================== - Customers may see false positives with Excel_File_Import_Code_Exec. Profiling on the customers' traffic should be performed before enabling blocking. - XForce is investigating possible false alarms in HTML_URL_Unicode_Stack_Overflow. - WINS_UDP_Pointer_Code_Exec is known to have false positives in some network environments. Tune the signature as follows to help reduce the false positives: pam.WINS_UDP_Pointer_Code_Exec.limit=500 - The InstallShield installation of BlackICE PC Protection hangs at the end of the install on Windows XP SP1 and SP2. You may see the following error: An error occurred while launching the setup The remote procedure call failed In this case, you can use the Windows Task Manager to manually terminate the hung InstallShield process at the end of the install without any adverse affects. For more information, please see the following Knowledge Base article: https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3812 - When you update from 2.9 to 3.5 or 3.6, your preferences in the BlackICE Attacks and Intruders windows are not saved (i.e. the field and column width specifications). Also, your settings for the Preferences tab are not saved. Workaround: Please note your settings before updating your copy of BlackICE. - If you enabled ACPI power management, BlackICE does not let Windows 98/Me automatically go into hibernate mode, and on some systems even Standby mode. Workaround: You can manually put your computer into Standby or Hibernate modes. We are working on a solution. - On Windows Me, restore points do not automatically occur. Workaround: Periodically, manually set restore points. - For WinNT 4: Under certain situations, the floppy drive is inaccessible when the agent is installed. Workaround: Add the following line to blackice.ini: starting.i=101 After saving and closing blackice.ini, stop and start the Blackice service in the service list. - For Windows 98, using Dial Up Networking or when establishing a VPN connection: Under certain conditions, establishing the dial up or VPN connection fails. Workaround: Add the following line to blackice.ini: restart.whenDeviceChg = false - Under rare conditions, the agent may not detect your computer's network adapter(s). This means that although your computer can communicate on the network, BlackICE fails to see the network traffic and therefore fails to protect your system. Workaround: Add the following line to blackice.ini: adapter.override = true Save and close blackice.ini, then stop and start the BlackICE engine. - When using the Communications Control in the Advanced Application Protection Settings to terminate or block network access of a trusted application and that application uses a secondary trusted application to access the Internet, the secondary application will not be terminated or blocked. The workaround is to use the Applications Control and change the settings for the primary application from allow to terminate. The primary application will be terminated and cannot use the secondary application to access the Internet. - Using the Fast User Switching on XP the Application protection prompts only appear on the first user logged into the XP system if the unknown or modified application is launched by the second user. The workaround is to switch back to the first user and answer the Application Protection prompts. - Under rare conditions the baseline does not complete properly due to a virtual memory error. Workaround: Free up disk space on your computer and reboot the system so Windows can allocate the proper amount of virtual memory - When uninstalling on Windows 98 and Me, you may see one or more "Unknown Application" prompts referencing various InstallShield files such as isrt.dll and ikernel.exe. This may occur when uninstalling any application which uses InstallShield, not just BlackICE. As part of InstallShield's bootstrapping process, it unpacks and runs various files in a temporary directory. These files are not part of the file system baseline, so the Application Protection feature will trigger on them. The workaround is to put Application Protection into "Install Mode" using the button on the "Unknown Application" dialog. Or, just allow the triggered file to continue (do not terminate the file or your uninstall will also be terminated). - The agent is not compatible with VMware. Running this agent in a VMware environment could result in unpredictable system behavior. - On some notebook computers configured to go into standby when there is lack of computer activity (e.g. disk, keyboard, and mouse activity), the agent may prevent the system from going into standby because of its own disk activity. - The agent may prevent certain PDA's from synchronizing. If this happens, stop the BlackICE engine. - Versions of Cookie Crusher earlier than Version 2.5 are incompatible with this agent. Removing Cookie Crusher fixes the problem. - If you are having difficulties performing SCANDISK or DEFRAG, stop the BlackICE engine. When your computer is busy receiving network traffic, so is BlackICE (busy, that is). As such, BlackICE is also busy logging information to your disk. SCANDISK or DEFRAG may not finish when your disk drive is in use. - Under certain situations, you may see the RED slash across the BlackICE system tray icon. These situations include: - You invoked BlackICE Engine/Stop BlackICE Engine. - The BlackICE engine is in startup delay. BlackICE has determined that for some reason, the system was abruptly or unexpectedly shutdown in a prior computer session. - BlackICE has detected a network device insertion event and is re-starting to accommodate the new device. In this case the red slash is temporary and will disappear after a few seconds. One example, if you access the Internet via a dialup modem, then it is very likely that you will see the red slash appear every time you connect to the Internet. If you don't want this to occur, consider adding the following line to the blackice.ini file: restart.whenDeviceChg = false startup.crashdelay = disabled - Your system has become busy to the point where the agent user interface is temporarily unable to communicate with the BlackICE engine. If this is the case, you will see the red slash for only a short period with no lapse in system protection from the BlackICE engine. - The BlackICE engine has terminated unexpectedly. - Applications that operate in a 16-bit environment may not be detected properly in Win98/WinMe. IBM ISS recommends that you avoid running these applications due to their inherent security weaknesses. 1. New Security Content For 3.6.crg IssueID SecChkID ProductCheckName Event Type Risk Level ------- -------- -------------------------------------- --------------------------- ---------- 2114121 28650 Pict_Office_Filter_Overflow Unauthorized Access Attempt High 2124006 33744 HTTP_Groupwise_WebAccess_GWinter_Bo Unauthorized Access Attempt High 2124008 34016 HTTP_Tivoli_Rembo_Bo Unauthorized Access Attempt High 2122038 34445 JSON_Hijacking Suspicious Activity Low 2114117 35357 SMIL_QuickTime_Overflow Unauthorized Access Attempt High 2124009 36937 XML_QuickTime_QTL_Code_Execution Unauthorized Access Attempt High 2114116 38279 Pict_UncompressedQuickTime_Underflow Unauthorized Access Attempt High 2114118 38280 Pict_PackBitsRgn_Underflow Unauthorized Access Attempt High 2114119 38281 Pict_Poly_Underflow Unauthorized Access Attempt High 2125000 39158 HTTP_Apache_Trailing_Slash Suspicious Activity Low 2124005 40768 Novell_iPrint_ActiveX_Bo Unauthorized Access Attempt High 2106304 40927 SIP_Unregistered_Endpoint_Invite Protocol Signature Low 2101039 41607 QuickTime_CRGN_Overflow Unauthorized Access Attempt High 2101040 41613 QuickTime_OBJI_Overflow Unauthorized Access Attempt High 2124012 42676 HTML_Messenger_Information_Disclosure Unauthorized Access Attempt Medium 2101042 43334 DNS_Cache_Poison_Subdomain_Attack Protocol Signature Medium 2114120 43352 Pict_Office_Filter_Underflow Unauthorized Access Attempt High 3124001 43586 SAMETIME_Login Protocol Signature Low 3114014 43721 Pict_Detected Protocol Signature Low 2114115 43722 Pict_Malformed Suspicious Activity Low 2124011 44084 Image_EMF_MSCMS_Heap_Overflow Unauthorized Access Attempt High 2125001 44095 HTTP_IE_Object_Access_Code_Execution Unauthorized Access Attempt High 2101041 44146 FTP_Cisco_IOS_MKD_BO Unauthorized Access Attempt High 3120018 44154 SIP_Message_Detected Suspicious Activity Low 2. Security Content Improvements in 3.6.crg --------------------------------------------------------------- - Fixed a false positive in Skype_Detected. - Fixed a false positive in Email_Exchange_Mime_Decoding when a base64 attachment contained multiple blank lines. - Fixed a false positive in HTML_URI_Unicode_Stack_Overflow. - Fixed a false positive in UPnP_Request_Overflow. - Fixed a false positive in MDB_Jet_Engine_Stack_Overflow. - Fixed a false positive in Multimedia_File_Overflow related to anomalous sections within SWF files. - Fixed a false positive in JavaScript_Unescape_Regex. - Fixed a false positive in DNS_DNSSEC_Type_Mismatch by adding better correlation between RRSIG records and answer resource records. - Fixed a false positive in MOV_Container_Overflow within the user data (udta) container. - Fixed false positives in HTTPS_Apache_ClearText_DoS and HTTP_Tunnel_Not_TLS_or_SSL for the case involving failed CONNECT requests to proxy servers. - Fixed false negatives in SQL_Injection and Shell_Command_Injection related to esoteric forms of argument processing by some CGI applications. - Fixed a false negative in Informix_Username_Overflow and Informix_Long_Username_Overflow when the Informix server is running on a non-default port. - Updated Shell_Command_Injection detection with stricter semantics for the data flagged as possible shell code commands. - Fixed an error in SQL_Injection which was inadvertently using the score limit value of Shell_Command_Injection. - Added a new tuning parameter (pam.injection.param.ignore.) that allows you to disable SQL_Injection and Shell_Command_Injection events for one or more CGI name=value pairs. See the help information for this tuning parameter for further configuration details. - Fixed a PAM internal error induced when the HTTP parser evaluated a request containing a specific URL. - Fixed pam.http.report.request.header and pam.http.report.response.header advanced tuning parameters so that the HTTP header field value is reported for every attack if available. See the help information for this tuning parameter for further configuration details. - Corrected the victim and intruder addresses for all HTTP response events. The addresses now match the source and destination address tuples. - Added a tuning parameter (pam.dns_cache_poison.report.interval, default=2 secs) to DNS_Cache_Poison and DNS_Cache_Poison_Subdomain_Attack to limit reports/sec. - Added PAM_PacketError Blocking and a tuning parameter (pam.dns_cache_poison.drop, default=true) to DNS_Cache_Poison and DNS_Cache_Poison_Subdomain_Attack. - Changed the default value for the pam.dns_cache_poison.answer.limit tuning parameter to a higher value of 40 to avoid false positives for DNS_Cache_Poison. This change is possible with the release of DNS_Cache_Poison_Subdomain_Attack, which detects groups of smaller DNS attacks not efficiently detected by DNS_Cache_Poison. - Updated HTML_IE_ActiveX_Loader_Heap_Corruption to cover additional vulnerabilities. - Enhanced Nmap_OS_Fingerprint to more accurately detect newer versions of NMAP starting with 4.2. - Enhanced the efficiency of the HTTP coalescer to decrease the number of events displayed in the management console. 3. Event Blocking Notes --------------------------------------------------------------- 3.1 Blocking was added for the following events: SecChkID ProductCheckName ------------------------------ 36723 SMTP_Ipswitch_IMail_Mime_BO 36811 NNTP_Outlook_Reply_Overflow 36919 XFS_Query_Range_Integer_Overflow 36920 XFS_Query_Range_Swap_Overflow 37373 Applix_Words_Document_Overflow 37374 Applix_Graphics_Document_Overflow 38643 HTML_Mozilla_XBL_Exec 38645 BIFF_Lotus_123_FileViewer_BO 38965 SMB_Samba_Mailslot_Logon_BO 39554 JavaScript_Gateway_DoWebLaunch 39601 HTTP_QuickTime_RTSP_Response_BO 39697 QuickTime_Image_Description_Code_Execut 40056 MS_Encoded_Script_Overflow 40062 XML_WebDAV_MiniRedirector_BO 40088 HTML_IE_Rendering_Combination_Corruptio 40090 HTML_IE_ARG_Code_Exec 40431 MSRPC_Spoolss_EnumPrinters_Bo 40816 HTTP_MayDay_Request 40838 JavaScript_RisingScanner_UpdateEngine 40844 JavaScript_Quantum_UploadLogs_Bo 40891 HTTP_TrendMicro_Officescan_BO 43334 DNS_Cache_Poison_Subdomain_Attack 3.2 Blocking was removed for the following events: SecChkID ProductCheckName ------------------------------- 4. Other Updates --------------------------------------------------------------- 5. Other Bug Fixes ---------------------------------------------------------------