BlackICE PC Protection Content Update 3.6.cqy - README ===================================================================== Last modified: 08 April 2008 © Copyright IBM Corporation 1998, 2008. All rights reserved worldwide. PLEASE READ THIS DOCUMENT IN ITS ENTIRETY. ===================================================================== CONTENTS ===================================================================== - Description - System requirements - Applying updates - Getting the latest related documentation - Customer Support - Known issues - New signatures added in this release --------------------------------------------------------------------- DESCRIPTION ===================================================================== This release contains 21 new event(s) and 3 new blocking response(s). SYSTEM REQUIREMENTS ===================================================================== - Hardware: Pentium class computer. - OS: Windows 98 (retail, SP1, Second Edition) Windows NT 4 (SP5, SP6, SP6a) Windows 2000 (SP1, SP2, SP3, SP4) Windows ME Windows XP Pro (SP1) / Home (SP1) Windows XP Pro (SP2) / Home (SP2) - Memory: Minimum: 16MB Recommended: 64MB - Disk space: A minimum of 10MB. This includes 2.5 MB allocated for logging trace files. - Other: System must be using the following: - Internet Explorer 5.0 or later. APPLYING UPDATES ===================================================================== Apply this update through the agent installation package GETTING THE LATEST RELATED DOCUMENTATION ===================================================================== Documentation for BlackICE PC Protection can be found at the following Web address: http://www.iss.net/support/documentation CUSTOMER SUPPORT ===================================================================== Support for this release is available by sending an email to: e-mail: support-l1@networkice.com and follow the support email guidelines on the web page: http://blackice.iss.net/customer_support.php When submitting a support request via e-mail, in the subject heading of your e-mail put the category of the issue you are experiencing and your license key. For example: QUESTION: 0123456-RS-12345 You can use any one of the following categories: - CRASH : BlackICE is causing your system to crash or hang - QUESTION : ask a question - OPERATION : report an issue regarding one of BlackICE's functions or feature - NEW INSTALL : you are experiencing an install issue - UPDATE INSTALL: you are attempting to update your BlackICE installation and are experiencing difficulties doing so - FEATURE : to suggest features you would like to see in BlackICE - OTHER : to request support for an issue that doesn't fit any of the above categories Make sure to include the following files when requesting technical support: -attack-list.csv -blackd.log -blackd-old.log -blackice.ini -firewall.ini -sigs.ini -protect.ini -checksum.txt -actlcl.txt -filelock.txt -rapapp.log -rapapp-old.log -license.key To provide feedback on this readme, send an email to readme@iss.net KNOWN ISSUES ===================================================================== - Customers may see false positives with Excel_File_Import_Code_Exec. Profiling on the customers' traffic should be performed before enabling blocking. - We are investigating the existence of a rare false positive in MDB_Jet_Engine_Stack_Overflow. Use caution when enabling blocking for this issue. - The InstallShield installation of BlackICE PC Protection hangs at the end of the install on Windows XP SP1 and SP2. You may see the following error: An error occurred while launching the setup The remote procedure call failed In this case, you can use the Windows Task Manager to manually terminate the hung InstallShield process at the end of the install without any adverse affects. For more information, please see the following Knowledge Base article: https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3812 - When you update from 2.9 to 3.5 or 3.6, your preferences in the BlackICE Attacks and Intruders windows are not saved (i.e. the field and column width specifications). Also, your settings for the Preferences tab are not saved. Workaround: Please note your settings before updating your copy of BlackICE. - If you enabled ACPI power management, BlackICE does not let Windows 98/Me automatically go into hibernate mode, and on some systems even Standby mode. Work-Around: You can manually put your computer into Standby or Hibernate modes. We are working on a solution. - On Windows Me, restore points do not automatically occur. Work-Around: Periodically, manually set restore points. - For WinNT 4: Under certain situations, the floppy drive is inaccessible when the agent is installed. Work-around: Add the following line to blackice.ini: starting.i=101 After saving and closing blackice.ini, stop and start the Blackice service in the service list. - For Windows 98, using Dial Up Networking or when establishing a VPN connection: Under certain conditions, establishing the dial up or VPN connection fails. Work-around: Add the following line to blackice.ini: restart.whenDeviceChg = false - Under rare conditions, the agent may not detect your computer's network adapter(s). This means that although your computer can communicate on the network, BlackICE fails to see the network traffic and therefore fails to protect your system. Work-around: Add the following line to blackice.ini: adapter.override = true Save and close blackice.ini, then stop and start the BlackICE engine. - When using the Communications Control in the Advanced Application Protection Settings to terminate or block network access of a trusted application and that application uses a secondary trusted application to access the Internet, the secondary application will not be terminated or blocked. The workaround is to use the Applications Control and change the settings for the primary application from allow to terminate. The primary application will be terminated and cannot use the secondary application to access the Internet. - Using the Fast User Switching on XP the Application protection prompts only appear on the first user logged into the XP system if the unknown or modified application is launched by the second user. The workaround is to switch back to the first user and answer the Application Protection prompts. - Under rare conditions the baseline does not complete properly due to a virtual memory error. Work-around: Free up disk space on your computer and reboot the system so Windows can allocate the proper amount of virtual memory - When uninstalling on Windows 98 and Me, you may see one or more "Unknown Application" prompts referencing various InstallShield files such as isrt.dll and ikernel.exe. This may occur when uninstalling any application which uses InstallShield, not just BlackICE. As part of InstallShield's bootstrapping process, it unpacks and runs various files in a temporary directory. These files are not part of the file system baseline, so the Application Protection feature will trigger on them. The workaround is to put Application Protection into "Install Mode" using the button on the "Unknown Application" dialog. Or, just allow the triggered file to continue (do not terminate the file or your uninstall will also be terminated). - The agent is not compatible with VMware. Running this agent in a VMware environment could result in unpredictable system behavior. - On some notebook computers configured to go into standby when there is lack of computer activity (e.g. disk, keyboard, and mouse activity), the agent may prevent the system from going into standby because of it's own disk activity. - The agent may prevent certain PDA's from synchronizing. If this happens, stop the BlackICE engine. - Versions of Cookie Crusher earlier than Version 2.5 are incompatible with this agent. Removing Cookie Crusher fixes the problem. - If you are having difficulties performing SCANDISK or DEFRAG, stop the BlackICE engine. When your computer is busy receiving network traffic, so is BlackICE (busy, that is). As such, BlackICE is also busy logging information to your disk. SCANDISK or DEFRAG may not finish when your disk drive is in use. - Under certain situations, you may see the RED slash across the BlackICE system tray icon. These situations include: - You invoked BlackICE Engine/Stop BlackICE Engine. - The BlackICE engine is in startup delay. BlackICE has determined that for some reason, the system was abruptly or unexpectedly shutdown in a prior computer session. - BlackICE has detected a network device insertion event and is re-starting to accommodate the new device. In this case the red slash is temporary and will disappear after a few seconds. One example, if you access the Internet via a dialup modem, then it is very likely that you will see the red slash appear every time you connect to the Internet. If you don't want this to occur, consider adding the following line to the blackice.ini file: restart.whenDeviceChg = false startup.crashdelay = disabled - Your system has become busy to the point where the agent user interface is temporarily unable to communicate with the BlackICE engine. If this is the case, you will see the red slash for only a short period with no lapse in system protection from the BlackICE engine. - The BlackICE engine has terminated unexpectedly. - Applications that operate in a 16-bit environment may not be detected properly in Win98/WinMe. IBM ISS recommends that you avoid running these applications due to their inherent security weaknesses. 1. New Security Content For 3.6.cqy IssueID SecChkID ProductCheckName Event Type Risk Level ------- -------- -------------------------------------- --------------------------- ---------- 2101032 37460 SNMP_Nagios_Plugins_CheckSNMP_BO Unauthorized Access Attempt High 2114097 38499 MDB_Jet_Engine_Stack_Overflow Unauthorized Access Attempt High 2118122 38643 HTML_Mozilla_XBL_Exec Unauthorized Access Attempt High 2101029 39697 QuickTime_Image_Description_Code_Execution Unauthorized Access Attempt High 2101030 39778 Ultravox_Winamp_MP3_BO Unauthorized Access Attempt High 2122030 40056 MS_Encoded_Script_Overflow Unauthorized Access Attempt High 2110163 40200 HTML_Yahoo_DataGrid_BO Unauthorized Access Attempt High 2110164 40202 HTML_Yahoo_MediaGrid_BO Unauthorized Access Attempt High 2118126 40431 MSRPC_Spoolss_EnumPrinters_Bo Unauthorized Access Attempt High 2118123 40838 JavaScript_RisingScanner_UpdateEngine Unauthorized Access Attempt High 2118124 40844 JavaScript_Quantum_UploadLogs_Bo Unauthorized Access Attempt High 2118125 40863 HTML_DLink_ShmAudio_BO Unauthorized Access Attempt High 2106291 40923 SIP_Inconsistent_Contact_IP_Address Protocol Signature Low 2106292 40925 SIP_SDP_Connection_IP_Mismatch Protocol Signature Low 2106289 40928 SIP_Contact_From_Id_Mismatch Protocol Signature Low 2106290 40934 SIP_Header_XSS Protocol Signature Medium 2106287 40935 SIP_SQL_Injection Suspicious Activity High 2106288 41357 SIP_Shell_Command_Injection Unauthorized Access Attempt High 2101033 41471 Image_EMF_GDI_Header_Overflow Unauthorized Access Attempt High 2101034 41472 Image_EMF_GDI_Filename_Overflow Unauthorized Access Attempt High 2118127 41476 HTTP_IE_FileViewer_Code_Exec Unauthorized Access Attempt High 2. Security Content Improvements in 3.6.cqy --------------------------------------------------------------- - A false positive in Image_EMF_Integer_Overflow caused by negative rectangle dimensions has been corrected. - A false positive in SQL_Injection wherein DML and DDL modifiers were counted without first seeing DML or DDL keywords was corrected. - A false positive in Spyware_PH_GameSpyArcade was corrected. - A false positive in JavaScript_Large_Unescape, wherein the overall size of the data associated with the unescape was used to trigger the event rather than the number of specific patterns detected, was corrected. The false positive would occur when a large amount of normal text was detected in the unescape function. The associated tuning parameter, pam.javascript.unescape.limit, has been updated to reflect an appropriate value for this fix. - Enhancement done to MSN Messenger Parser to Handle New Way of File Transfer Over port 1863. - SQL_Injection signature detection was improved when processing select. - The tuning parameter pam.mdb.scan.limit was being consulted incorrectly but has been fixed, and its default value is now 12288. - HTML_IE_ActiveX_Loader_Heap_Corruption has been updated with new Class IDs. - Fixed a false negative with Gnutella_LimeWire so that SSL negotiations are detected. 3. Event Blocking Notes --------------------------------------------------------------- 3.1 Blocking was added for the following events: SecChkID ProductCheckName ------------------------------ 41471 Image_EMF_GDI_Header_Overflow 41472 Image_EMF_GDI_Filename_Overflow 41476 HTTP_IE_FileViewer_Code_Exec 3.2 Blocking was removed for the following events: SecChkID ProductCheckName ------------------------------- 4. Other Updates --------------------------------------------------------------- - Signatures SIP_Inconsistent_Contact_IP_Address and SIP_SDP_Connection_IP_Mismatch were changed from audits to severity low events. 5. Other Bug Fixes ---------------------------------------------------------------