This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ddavila
Participant
Participant
‎2025-11-12 01:23 PM

Microsoft Updates Blocked by Threat Prevention | Chasys Draw IES BMP (CVE-2013-3928)

Hello everyone,

I'd like to share a discovery I made this week and would appreciate your opinion.

Technical support reported that they were having trouble updating Microsoft products, specifically the Office suite, using the Quick Installer, which performs automatic downloads and updates.

The problem was that the download would get stuck at 2%, 14%, etc., and wouldn't continue. After reviewing the data together, I found the following: 

An IPS Prevent log with the following information:

Attack Information: Chasys Draw IES BMP Buffer Overflow

Protection Name: Chasys Draw IES BMP Buffer Overflow

CVE: CVE-2013-3928

Destination: a23-48-246-138.deploy.static.akamaitechnologies.com (23.48.246.138)

Resource: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.19328.20178/stream.x64.x-none.dat 

Captura de pantalla 2025-11-12 151428.png

 

It's important to note that we don't use Chasys Draw IES, which is an image editing program. Therefore, I think this is a clear false positive. What do you think?

Also, I find it curious that this Protection Name is detecting this traffic as malicious when the domains used are Office domains. Furthermore, according to the CVE, the traffic behavior should be related to a BMP format that doesn't appear to be present in the blocking resources.

Bypassing the protection name resolves the issue.

Captura de pantalla 2025-11-12 151011.png

Taking advantage of this situation, do you know if these issues can be easily escalated to the Check Point team so they can investigate whether it's a bug in the IPS Protection update? I feel this could be a very serious problem.

One more question: to optimize my Threat Prevention profile, do you recommend disabling this protection since we don't use the software, or how would you handle it?

All your comments are appreciated.

Regards

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2025-11-12 03:50 PM

Definitely sounds like a false positive issue, which should be reported to TAC.
From a performance perspective, disabling a specific signature doesn't usually change anything.
However, if it causes a false positive like this, especially if the protection is for a product you don't use, disabling it is completely reasonable. 

0 Kudos
Ddavila
Participant
Participant
‎2025-11-12 07:45 PM
In response to PhoneBoy

I will definitely open a case with the CAT team so they can review it and see if it's an error.

Thanks for your recommendations; I was interested to hear your opinions on this case.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-12 07:11 PM

What remediation option does it give?

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events