I thought, I should report.
Symptom: The driver downloads and stalls at 98 or 99%.
Changing blocked to alarm lets the driver install successfully and thus not block other windows 10 Updates.
Please report the exact rule SID.
I don’t know what you mean by sid. In error log I saw:
03/16/2021-17:31:24.557854 [Drop] [] [1:2012252:5] ET SHELLCODE Common 0a0a0a0a Heap Spray String [] [Classification: Executable code was detected] [Priority: 1] {TCP} 93.184.221.240:80 -> 192.168.x.y:59756
The rule I changed is as stated:
Hopte that helps
Signature ID is 2012252, you can view it online at https://doc.emergingthreats.net/bin/view/Main/2012252.
Evebox brings you there too.
It’s a signature prone to false positives, I usually disable it writing 1:2012252 in /etc/pulledpork/disablesid.conf
You should also add 1:2012962 for a similar heap spraying signature.
See the manual for further details.
It will not greatly decrease security, heap spraying is not an exploit itself, but a technique to ease exploiting. You could set the Shellcode category to alert instead of blocking.
3 Likes
This kind of setting is still not available from web interface, i suppose…
Thanks again for clarification. I learned something again. I added the entries and re-activated the ET-emerging-shellcode in IPS (blocked) and will observe how it works.