This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ED
Advisor
‎2019-03-01 12:25 AM

Deactivate category threat year in IPS

Hi,

In IPS profile you can deactivate protections based on the category threat year. 

Here is an example of a protection:

Tags:

Vendor: 

Microsoft

Product: 

Office

Threat Year: 

2010

Protection Type: 

Vulnerability

Protocol: 

HTTP

Threat Description:

RTF provides a format for text and graphics interchange that can be used with different operating systems. A buffer overflow vulnerability has been identified in the way Microsoft Office parses Rich Text Format (RTF) files. The vulnerability is due to an error in Microsoft Office that fails to properly parse specially crafted RTF formatted data. A remote attacker could trigger this flaw by convincing a victim to open a malicious RTF file. Successful exploitation of this issue may corrupt system memory, allowing execution of arbitrary code on a vulnerable system.

Released 09/11/2010 and then last updated on 29/09/2016. If you had set that protections from threat year 2010 to be deactivated in your IPS profile thinking that something so old should be fixed/patched and it should be safe to deactivate. Assuming you did that in 2015 and then it got updated in 2016. Is this generally a bad idea to deactivate based on threat year? Would you in 2019 deactivate IPS protections with a threat year from 2010? I am also curious about what categories people in this community choose to deactivate in theirs IPS profile. If you can share your thoughts and experience with that I would appreciate that. Lets assume that resources on your firewall is not a dilemma and that you only use 1 IPS profile. 

5 Replies
Marco_Valenti
Advisor
‎2019-03-01 02:02 AM

I guess if you can' t update your ystem for 9 year ips won't save you anyway

0 Kudos
ED
Advisor
‎2019-03-01 02:20 AM
In response to Marco_Valenti

If we take the example above again which was released in 2010 and then 6 years later updated again at Check Point threatcloud for some reason. You decided in 2015 to deactivate protections which was 5 years back in time including this protection. In meantime you had not applied a Microsoft fix for this and this was an attack which made you vulnerable. It's just scenarios like these, can you comment on that? What are yours tips for deactivating categories in IPS profiles?

0 Kudos
Marco_Valenti
Advisor
‎2019-03-01 03:04 AM
In response to ED

This will intend that you have not made a microsoft update  in 5 year if I understand correctly , signature protection are based on very specific flaw of the software maybe check point improved that protection.You can always decide to take the risk and not update your software for more than 5 year , it is a possibility too.

Deactivating ips protecion should fit to your environment so you can decide to remove some server protection for software that are not in use into your organization , you should be able to do that for your client too.

Bottom line in my opinion as I said before if you don' t manage software update for more than 5 year or more don' t believe ips will save you but those are my two cents

0 Kudos
ED
Advisor
‎2019-03-01 03:14 AM
In response to Marco_Valenti

Marco, I see what I wrote above was not what I meant and can be misunderstood. I meant that you had previously applied Microsoft updates (until 2015) but not the updates after you decided to deactivate these protections (after 2015). And then CP comes with a protections for this in 2016 which makes it inactive. This is just hypothetical speaking imagining an example. 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-01 06:25 PM

Unless it has a high/critical performance impact, or it's an SMB platform, you're probably not buying much by deactivating older IPS protections.

0 Kudos