IPS Shellcode (ET-emerging-shellcode) blocking Windows Update AMD GPU driver

I thought, I should report.

Symptom: The driver downloads and stalls at 98 or 99%.

Changing blocked to alarm lets the driver install successfully and thus not block other windows 10 Updates.

Please report the exact rule SID.

I don’t know what you mean by sid. In error log I saw:

03/16/2021-17:31:24.557854 [Drop] [] [1:2012252:5] ET SHELLCODE Common 0a0a0a0a Heap Spray String [] [Classification: Executable code was detected] [Priority: 1] {TCP} -> 192.168.x.y:59756

The rule I changed is as stated:

Hopte that helps

Signature ID is 2012252, you can view it online at https://doc.emergingthreats.net/bin/view/Main/2012252.
Evebox brings you there too.

It’s a signature prone to false positives, I usually disable it writing 1:2012252 in /etc/pulledpork/disablesid.conf

You should also add 1:2012962 for a similar heap spraying signature.
See the manual for further details.

It will not greatly decrease security, heap spraying is not an exploit itself, but a technique to ease exploiting. You could set the Shellcode category to alert instead of blocking.


This kind of setting is still not available from web interface, i suppose…

Thanks again for clarification. I learned something again. I added the entries and re-activated the ET-emerging-shellcode in IPS (blocked) and will observe how it works.