Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nik_Bloemers
Advisor
Advisor

IPS ver2 signatures

Hello CheckMates,

 

I often notice multiple versions of the same signature (same CVE), but marked with '- ver2' at the end of the name.
Should this be considered an improved signature of the original (hence it's better to make the normal one Inactive and use the ver2 one) or should this be considered more like a different attack vector for the same vulnerability?

It's a bit confusing since the old signatures don't get disabled or get something added in their description to clarify. Other times I see improved signatures marked explicitly with '- High confidence' or '- Improved confidence' at the end of the name.

So I decided I might as well go and ask 🙂

Kind regards,

Nik Bloemers

1 Reply
Omer_Shliva
Employee
Employee

Hi,

We recommend that customers use the Optimized Profile.  It allows them running the best Security profile already tuned by Check Point’s IPS team.

In general, you can see that both protections (original and Ver2) have different dates and meta-data; this indicates that the actual detection differs between these 2 protections.

In cases where both protections (original and Ver2) are included in the Optimized profile, I would continue running both of them in order to get wider coverage.

 

Omer Shliva | Team Leader, AB Research Protections and IPS/AB Customer Focus Team

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events