BlackICE Server Protection Content Update 3.6.cqy - README ===================================================================== Last modified: 08 April 2008 © Copyright IBM Corporation 1998, 2008. All rights reserved worldwide. PLEASE READ THIS DOCUMENT IN ITS ENTIRETY. ===================================================================== CONTENTS ===================================================================== - Description - System requirements - Applying updates - Getting the latest related documentation - Customer Support - Known issues - New signatures added in this release --------------------------------------------------------------------- DESCRIPTION ===================================================================== This release contains 21 new event(s) and 3 new blocking response(s). SYSTEM REQUIREMENTS ===================================================================== Hardware: Pentium class computer. OS: Windows NT 4 (SP5, SP6, SP6a) Windows 2000 (SP1, SP2, SP3, SP4) Memory: Minimum: 16MB. Recommended: 64MB. Disk Space: A minimum of 10 MB. This includes 2.5 MB allocated for logging trace files. Other: System must be using Internet Explorer 5.0 or later. APPLYING UPDATES ===================================================================== Apply this update through the agent installation package GETTING THE LATEST RELATED DOCUMENTATION ===================================================================== Documentation for BlackICE Server Protection can be found at the following Web address: http://www.iss.net/support/documentation CUSTOMER SUPPORT ===================================================================== Support for this release is available by sending an email to: e-mail: support-l1@networkice.com and follow the support email guidelines on the web page: http://blackice.iss.net/customer_support.php When submitting a support request via e-mail, in the subject heading of your e-mail put the category of the issue you are experiencing and your license key. For example: QUESTION: f6MljWhIFRvbSCG/G3nSPAC000B23A You can use any one of the following categories: - CRASH : BlackICE is causing your system to crash or hang - QUESTION : ask a question - OPERATION : report an issue regarding one of BlackICE's functions or feature - NEW INSTALL : you are experiencing an install issue - UPDATE INSTALL : you are attempting to update your BlackICE installation and are experiencing difficulties doing so - FEATURE : to suggest features you would like to see in BlackICE - OTHER : to request support for an issue that doesn't fit any of the above categories Make sure to include the following files when requesting technical support: -attack-list.csv -blackd.log -blackd-old.log -blackice.ini -firewall.ini -sigs.ini -protect.ini -checksum.txt -filelock.txt -actlcl.txt -rapapp.log -rapapp-old.log -license.key To provide feedback on this readme, send an email to readme@iss.net KNOWN ISSUES ===================================================================== - Customers may see false positives with Excel_File_Import_Code_Exec. Profiling on the customers' traffic should be performed before enabling blocking. - We are investigating the existence of a rare false positive in MDB_Jet_Engine_Stack_Overflow. Use caution when enabling blocking for this issue. - The InstallShield installation of BlackICE Server Protection hangs at the end of the install on Windows XP SP1 and SP2. You may see the following error: An error occurred while launching the setup The remote procedure call failed In this case, you can use the Windows Task Manager to manually terminate the hung InstallShield process at the end of the install without any adverse affects. For more information, please see the following Knowledge Base article: https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3812 - When you update from 2.9 to 3.6, your preferences in the BlackICE Attacks and Intruders windows are not saved (i.e. the field and column width specifications). Also, your settings for the Preferences tab are not saved. Workaround: Please note your settings before updating your copy of BlackICE. - For WinNT 4: Under certain situations, the floppy drive is inaccessible when the agent is installed. Work-around: Add the following line to blackice.ini: starting.i=101 After saving and closing blackice.ini, stop and start the Blackice service in the service list. - Under rare conditions, BlackICE may not detect your computer's network adapter(s). This means that although your computer can communicate on the network, BlackICE fails to see the network traffic and as such fails to protect your system. Work-around: Add the following line to blackice.ini: adapter.override=enabled Save and close blackice.ini, then stop and start the BlackICE engine. - If you install BlackICE on a server that has been upgraded from Windows NT 4.0 Terminal Server to Windows 2000, you will encounter a red slash on the BlackICE systray icon. Additionally, an 'Installation Failure' event (ID 13) will be generated in the BlackICE UI. Work-around: Properly uninstall BackICE using Add/Remove Programs located under the Control Panel.From Add/Remove Programs, select Add New Programs, then select on CD or Floppy, select next, enter the path to the agent install executable or use Browse to locate it. Select Next and the standard BlackICE install will begin. Once it has completed, select next in the window you started the install in, and then click finish to complete the process. - When using the Communications Control in the Advanced Application Protection Settings to terminate or block network access of a trusted application and that application uses a secondary trusted application to access the Internet, the secondary application will not be terminated or blocked. Work-around: Use Applications Control and change the settings for the primary application from allow to terminate. The primary application will be terminated and cannot use the secondary application to access the Internet. - Using Terminal Server client on Win2K, the Application protection prompts only appear on the first user logged into the system if a unknown or modified application is launched by the second user. The workaround is to answer the Application protection prompts at the local station. - Under rare conditions the baseline does not complete properly due to a virtual memory error Work-around: Free up disk space on your computer and reboot the system so Windows can allocate the proper amount of virtual memory - When uninstalling on Windows 98 and Me, you may see one or more "Unknown Application" prompts referencing various InstallShield files such as isrt.dll and ikernel.exe. This may occur when uninstalling any application which uses InstallShield, not just BlackICE. As part of InstallShield's bootstrapping process, it unpacks and runs various files in a temporary directory. These files are not part of the file system baseline, so the Application Protection feature will trigger on them. The workaround is to put Application Protection into "Install Mode" using the button on the "Unknown Application" dialog. Or, just allow the triggered file to continue (do not terminate the file or your uninstall will also be terminated). - If you are having difficulties performing SCANDISK or DEFRAG, stop the BlackICE engine. When your computer is busy receiving network traffic, so is BlackICE Server Protection (busy, that is). As such, BlackICE Server Protection is also busy logging information to your disk. SCANDISK or DEFRAG may not finish when your disk drive is in use. - Under certain situations, you may see the RED slash across the system tray icon. These situations include: - You invoked BlackICE Engine/Stop BlackICE Engine. - The BlackICE engine is in startup delay. BlackICE Server Protection has determined that for some reason, the system was abruptly or unexpectedly shutdown in a prior computer session. - Your system has become busy to the point where the agent user interface is temporarily unable to communicate with the BlackICE engine. If this is the case, you will see the red slash for only a short period with no lapse in system protection from the BlackICE engine. - The BlackICE engine has terminated unexpectedly. - If a Terminal Services session is established when APM is active, the APM prompts will only be displayed in the local computer, not within the Terminal Services client. 1. New Security Content For 3.6.cqy IssueID SecChkID ProductCheckName Event Type Risk Level ------- -------- -------------------------------------- --------------------------- ---------- 2101032 37460 SNMP_Nagios_Plugins_CheckSNMP_BO Unauthorized Access Attempt High 2114097 38499 MDB_Jet_Engine_Stack_Overflow Unauthorized Access Attempt High 2118122 38643 HTML_Mozilla_XBL_Exec Unauthorized Access Attempt High 2101029 39697 QuickTime_Image_Description_Code_Execution Unauthorized Access Attempt High 2101030 39778 Ultravox_Winamp_MP3_BO Unauthorized Access Attempt High 2122030 40056 MS_Encoded_Script_Overflow Unauthorized Access Attempt High 2110163 40200 HTML_Yahoo_DataGrid_BO Unauthorized Access Attempt High 2110164 40202 HTML_Yahoo_MediaGrid_BO Unauthorized Access Attempt High 2118126 40431 MSRPC_Spoolss_EnumPrinters_Bo Unauthorized Access Attempt High 2118123 40838 JavaScript_RisingScanner_UpdateEngine Unauthorized Access Attempt High 2118124 40844 JavaScript_Quantum_UploadLogs_Bo Unauthorized Access Attempt High 2118125 40863 HTML_DLink_ShmAudio_BO Unauthorized Access Attempt High 2106291 40923 SIP_Inconsistent_Contact_IP_Address Protocol Signature Low 2106292 40925 SIP_SDP_Connection_IP_Mismatch Protocol Signature Low 2106289 40928 SIP_Contact_From_Id_Mismatch Protocol Signature Low 2106290 40934 SIP_Header_XSS Protocol Signature Medium 2106287 40935 SIP_SQL_Injection Suspicious Activity High 2106288 41357 SIP_Shell_Command_Injection Unauthorized Access Attempt High 2101033 41471 Image_EMF_GDI_Header_Overflow Unauthorized Access Attempt High 2101034 41472 Image_EMF_GDI_Filename_Overflow Unauthorized Access Attempt High 2118127 41476 HTTP_IE_FileViewer_Code_Exec Unauthorized Access Attempt High 2. Security Content Improvements in 3.6.cqy --------------------------------------------------------------- - A false positive in Image_EMF_Integer_Overflow caused by negative rectangle dimensions has been corrected. - A false positive in SQL_Injection wherein DML and DDL modifiers were counted without first seeing DML or DDL keywords was corrected. - A false positive in Spyware_PH_GameSpyArcade was corrected. - A false positive in JavaScript_Large_Unescape, wherein the overall size of the data associated with the unescape was used to trigger the event rather than the number of specific patterns detected, was corrected. The false positive would occur when a large amount of normal text was detected in the unescape function. The associated tuning parameter, pam.javascript.unescape.limit, has been updated to reflect an appropriate value for this fix. - Enhancement done to MSN Messenger Parser to Handle New Way of File Transfer Over port 1863. - SQL_Injection signature detection was improved when processing select. - The tuning parameter pam.mdb.scan.limit was being consulted incorrectly but has been fixed, and its default value is now 12288. - HTML_IE_ActiveX_Loader_Heap_Corruption has been updated with new Class IDs. - Fixed a false negative with Gnutella_LimeWire so that SSL negotiations are detected. 3. Event Blocking Notes --------------------------------------------------------------- 3.1 Blocking was added for the following events: SecChkID ProductCheckName ------------------------------ 41471 Image_EMF_GDI_Header_Overflow 41472 Image_EMF_GDI_Filename_Overflow 41476 HTTP_IE_FileViewer_Code_Exec 3.2 Blocking was removed for the following events: SecChkID ProductCheckName ------------------------------- 4. Other Updates --------------------------------------------------------------- - Signatures SIP_Inconsistent_Contact_IP_Address and SIP_SDP_Connection_IP_Mismatch were changed from audits to severity low events. 5. Other Bug Fixes --------------------------------------------------------------- ===================================================================== =====================================================================