False positive for Windows RPC DCOM Overflow id=3327 version=S188

Similar Messages

• The Accessibility Object for AS2 is returning a false positive for AS2 with IE10 on Windows 8 Pro.

  There is an issue with the our legacy content player, which is written in Flash Actionscript 1 & 2.  This
  player behaves fine in most browsers on most platforms, but in IE10 on Windows 8 it doesn't work
  properly.
  Internet Explorer 110
  Version:  10.0.9200.16688
  Update Version:  10.0.9 (KB2870699)
  Windows 8 Pro
  This seems to because of the Flash engine's Accessibility object using the Microsoft Active
  Accessibility (MSAA) API to detect the presence of Screen Readers.  This detection is creating a false
  positive on Windows 8 machines and that may be due to the touch screen support on that platform.  This
  doesn't appear to be occuring with Chrome or Firefox on the same platform; however.  So I suspect that
  IE or IE's Flash compenent is doing something different than these other browsers.

  This is legacy code and is too close to its end-of-life to justify porting to AS3.  As far as a work-around I am already looking into it. I was hoping that someone had already encountered this issue and created a work-around.  This would have saved time.
  Any other takers?

• False Positives for id=12713 version=S149

  Just started receiving numerous firings of 12713. Looks like false positives. Is anyone else observing this?
  Cisco MARS is creating the following : System Rule: DoS: Network - Success Likely
  thanks
  John Stark

  This is indeed a false positive. You can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives.
  Tune signature 3327-6 and remove the produce alert action.
  Create a custom signature as follows:
  Engine Meta
  Component list:
  3327-6
  3328-0
  Meta-reset-interval = 2
  Severity high
  Summarize
  Met-key = Axxx – 1 unique victim
  Component-list-in order = false
  Event action: produce alert
  This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it.
  Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability. We will note this in the NSDB.

• TS5376 itunes 11.1.4 for Windows Vista - I've uninstalled prior version and associated applications, but get message"cannot download" the exe file. Why?

  Followed instructions to uninstall iTunes and related components and files, but still get error that the "exe" file cannot be downloaded. Any suggestions on what to do next?  This all started because I wanted to sync my iphone to the computer.

  I was able to successfully download iTunes after repeated attempts to remove Apple Mobile Device Support finally worked. Had to repair, re-install, then uninstall it. Found useful tips on how to do that in topic "Troubleshooting issues with iTunes for Windows Updates" by turingtest2.  After that, my browsers (IE or Firefox) would only partially download the iTunes install file. So paused virus scanner and Windows Defender. and uninstalled iCloud. Eventually IE downloaded the "exe" file and I was able to run it (albeit with several false starts). 
  Now trying to reinstall iCloud.  
  thanks for your help.

• Adobe Reader for Windows Phone cannot open older PDF versions?

  I've found that Adobe Reader for Windows Phone displays the following error when I try to open certain PDF documents: "There was an error opening the document".
  After doing some limited testing I found that it can successfully open PDF documents which were saved as "PDF version: 1.5 (Acrobat 6.x)", but the error appears when it tries to open documents saved as the older format "PDF version: 1.3 (Acrobat 4.x)". (I am checking the filetype version by opening the documents in Adobe Reader X on my PC and looking at the document properties).
  My phone is a HTC 7 Mozart running Windows Phone 7.5. I noticed the problem when I was using the SkyDrive app to try and look at some PDF files I have saved in SkyDrive. SkyDrive downloads the file and then passes it to the Adobe Reader app to view. It works when I look at a newer version 1.5 PDF but not the older v1.3 type. Unfortunately my HP Photosmart 5510 scanner outputs scans as PDF files and only in the older file version.
  I've tried reinstalling the SkyDrive app and the Adobe Reader app on my phone. (The Adobe Reader app is version 10.1.1, build 20120919).
  Is this a known limitation, or is this a bug?
  If this is a limitation that won't be fixed - is there an easy way I can convert my files to the newer file type? (Adobe Reader X on my PC doesn't seem to offer a way to convert existing files)
  Thanks!

  [topic moved to Adobe Reader for Windows Phone forum]

• Qucktime Pro for Windows lacks same features as Mac Version!?

  I am very dissatified to learn (after purchasing) that QT Pro for windows does NOT have a Video Capture Feature.
  The reps at Apple tech support all told me the program was exactly the same as the Mac version. So I purchased it only to discover no Video Capture option, only Audio.
  I am writing on this forum:
  A) to let others know that this is not a bug,
  B) to let Apple become aware so that their own employees understand their products better.
  C) to help Apple realize that they need to change their website (as it just glosses over this issue with vague feature descriptions on the windows version of the QT Pro site and also in hopes that Apple will change its decisions to disable Windows versions in order to allow their Apple version to be slightly better for marketing reasons... there can be no reason why simple Video Capture (at least thru DV) shouldnt be in the software on the Win version and
  D) to ask if anyone knows of any 3rd party plugins that will allow for Video Capture thru QT Pro.
  (so far my 2 previous posts were deleted... so I dont expect too much here, but I am trying to be constructive with my criticism. Apple please help!?)
  (copying this message to tech support and Apple product management in case it is deleted, they will be also notified of that)
  thanks for any help, I'm sorry it has come to this...
  Anyone know of a plugin?

  thanks for finally answering. Even if you deleted the previous post, you could have emailed me about the issue. Instead it just disappeared.
  I'm not an Apple employee. We're all just your fellow users here. I just know a complaint post when I see one.
  So Why does the windows version "lack the support architecture
  Only the QuickTime project engineers could answer that.
  in the Mac version, it does say Video and Audio capture, and on the Win version, it says "Video and Audio Creation features" and it also lists Audio Capture... But dont you think it shoudl list somewhere "VIDEO CAPTURE FEATURE ala the Mac version is NOT INCLUDED". Why be vague about it?
  It's not vague to me. If a feature isn't listed, I don't presume that it exists. But again, if you want to comment on this to Apple, use the Feedback page I gave in my previous post.
  even tho you say there is no way a plugin would work, I did find a Java based plugin that is supposed to work... havent installed it yet.
  I presume you're referring to QuickTime Capture. That's not a true QuickTime plugin, it's an applet, but we'd be getting into semantics, so I won't belabor the point. If that is indeed the Java applet you're referring to, it seems to be a frame-by-frame grabber, not a true video importer, so I'm not sure it's going to work for you. But of course there's no harm in trying it; it might do the job for you. If not, there are a lot of Windows video import utilities available (including the free Microsoft Movie Maker).

• PS Elements 5.0 & Premiere 3.0 for Windows XP & Vista?  Will old version work on Windows 7?

  Have Photoshop Elements 5.0 and Premiere 3.0 for Windows XP & Vista.  New computer Windows 7, can I do upgrade to 12 of both photoshop & premiere elements?

  You wioll be better off financially to buy the boxed version from Amazon.  It is only $88 according to this:
  Click on the above picture to go to Amazon Website to see the latest price on the product.

• False positive for GNU Bash Remote Code Execution Vulnerabil​ity

  Dear Team, 
  in my customer, one of banking in brunei want to access several finance website such as www.iifm.net etc. Tipping point IPS blokec to access the website with report as a 16800: TCP: GNU Bash Remote Code Execution Vulnerability ( Low Severity). The site is normal and legal website. Our question is the several website is needed to access by our employee due to the dailiy working. Please advice 
  Best Regards
  Yudi

  Hello Yuibagan,
  This is the Consumer products forum.
  You need to be in the HP Enterprise Business Community for IT related issues for servers, etc.
  I think you will want to post this question in the Security section. Dont post the same question more than once as you did here.
  HP Networking
  You will also want to take a look at the Articles and updates explaining GNU Bash here:
  GNU Bash vulnerability "Shellshock" (CVE-2014-6271... - HP Enterprise Business Community
  HP Security Research: GNU Bash vulnerability "Shel... - HP Enterprise Business Community
  HP AppDefender and HP WebInspect updates: GNU Bash... - HP Enterprise Business Community
  HPSR Software Security Content 2014 Update 3 - HP Enterprise Business Community
  Good luck

• False positive for 16800: TCP: GNU Bash Remote Code Execution Vulnerability

  Dear Team, 
  in my customer, one of banking in brunei want to access several finance website such as www.iifm.net etc. Tipping point IPS blokec to access the website with report as a 16800: TCP: GNU Bash Remote Code Execution Vulnerability ( Low Severity). The site is normal and legal website. Our question is the several website is needed to access by our employee due to the dailiy working. Please advice 
  Best Regards
  Yudi

  @yuibagan 
  ‎Thank you for using HP Support Forum. I have brought your issue to the appropriate team within HP. They will likely request information from you in order to look up your case details or product serial number. Please look for a private message from an identified HP contact. Additionally, keep in mind not to publicly post ( serial numbers and case details).
  If you are unfamiliar with the Forum's private messaging please click here to learn more.
  Thank you,
  Omar
  I Work for HP

• I have Creative Suite 6 Production Premium and InDesign CS5.5 for Windows, but I need the Mac versions of these. Is it possible to swap or exchange these products?

  Does Adobe allow exchanging my Windows version of CS6 Production Premium and InDesign CS5.5 for the Mac version? (The CS5.5 box is unopened, and the CS6 is in mint condition.)

  You might be able to do something for the CS6 product, but as far as the CS5.5 application goes it will not qualify.  See the following:
  Order product | Platform, language swap

• If I originally purchased Dreamweaver for Windows, can I download the Mac version? I don't have a PC

  I have my original serial number, but I do not have the cds. I need to download new software for my Mac. Since I don't use my Windows version anymore, can I do this?

  You can purchase CS6 via the page linked below...
  Purchase CS6 products:
  http://www.adobe.com/products/catalog/cs6._sl_id-contentfilter_sl_catalog_sl_software_sl_c reativesuite6.html
  What you might want to do first is acquire the trial version to make sure it will work properly on your machine.  You can acquire the trial version via either of the links below...
  http://helpx.adobe.com/x-productkb/policy-pricing/cs6-product-downloads.html
  For the following link, be sure to follow the steps outlined in the Note: Very Important Instructions section on the download pages at this site and have cookies enabled in your browser or else the download will not work properly.
  http://prodesigntools.com/adobe-cs6-direct-download-links.html

• Skype for Windows 7.4.85.102 newest version

  i just want to know what is new or improved in this version. greetings 

  I've been having a problem signing in to skype version 7.4.85.102. I looked at my firewall and all is coming through. the previous version was working just fine but since it updated it will not let me sign in. I put in my name and password, it gives me the spin circle for a few minutes then give me "can't connect to skype" i tied unistalling and installing previous versions, i event went and changed the file name as it said in previous comments to do "skype_old" and delete temp folder. why the difficulty? 

• Looking for a ISO for Windows 2003 R2 Enterprise Volume License version.

  Hi all,
  We have our VL W2K3 R2 Enterprise 32bit license key already.
  Trying to get a link to the .iso file for the VL license to download it.
  I tried the non-VL W2K3R2 Standard version .iso from my standard TechNet subscription, of course it will not take the VL key as valid.
  Where can I get the required .iso file?
  Any help appreciated.
  Regards,
  [email protected] or
  [email protected]

  Hi,
  You can download the .iso by logging on to the Volume License Service Center (VLSC) site using the credentials for your volume license agreement.  Product key(s) are there as well.
  https://www.microsoft.com/Licensing/servicecenter/default.aspx
  If you do not know the credentials you should be able to gain access if you have the license numbers, authorization numbers, original confirmation email/paperwork.  If you do not have these you can contact your reseller and request that they send
  a duplicate copy.
  An alternative would be if you have one of the higher MSDN subscriptions you could log on and download it from there.
  -TP

• False positive KB2478662 after Server Cleanup Wizard

  This morning WSUS gave me false positives for several clients.  I've seen FPs before, but I've never discovered what causes them.  In fact, I'm finding it hard to even ask a useful question.
  On Friday I ran the WSUS Cleanup Wizard.  On Monday I found that our Server 2008 R2 box and all but two of our Windows 7 boxes report as needing .NET update KB2478662 - a long-superseded update from 2011.
  I ran "wmic qfe list" to learn that neither KB2478662 nor its two superseding patches (KB2633873 and KB2539635) were installed on any of the unhappy clients.  However, KB2972100 supersedes KB2633873 and KB2539635 (but not the earlier KB2478662),
  and is installed on all the clients involved.  KB2972100 is not listed as superseding KB2478662, the earliest in the chain, so it appears this sort of leapfrogging supersession may not be detected well by WSUS.
  However: KB2972100 was installed two months ago, and KB2478662 didn't show before Friday; according to the Microsoft Catalog, none of the update packages has been updated recently; and I'm not finding reports from other admins of the ghost of KB2478662 emerging
  from the shadows.  I can only assume that running the Cleanup Wizard Friday somehow left WSUS in a state where this false positive could result.
  Like I said, I can't decide what question to ask.  Am I likely correct in blaming the Cleanup Wizard?  If so, is there some way of cleaning up after the wizard?  Or of preventing this sort of false positive in the first place?  Or is there
  some other common cause for this sort of FP?
  I seem to get two or three of these FPs a year, and I always end up researching the chain of superseding updates, manually scanning clients until I'm sure the latest update is really in place - and then I decline the false positive.  But I'd love to know
  a better way to handle these, or to avoid them.

  so I don't have a years-long database of approved updates.
  That remains to be seen. It only takes one hour of overambitious update approvals to generate five years of content on a WSUS server. :-)
  KB2478662 has never appeared before
  KB2478662 is an update contained in MS11-039 and has existed since June, 2011. If your WSUS server is only a couple of months old, I'm pretty confident in stating that KB2478662 was part of your original synchronization. KB247862 (MS11-039) is not a superseded
  update.
  It's much more likely that you just did not notice it before.. but it's always been there.
  (as I noted, KB2972100 was broadly installed in October) and has never had any approvals at all.
  I can't speak to the question of approvals, but if it was broadly installed, then I'd guess that  happened before you deployed this WSUS server and those updates were installed as a result of Automatic Updates. Given that it was released on Oct 14th,
  that makes perfect sense.
  I've never had the opportunity to decline it, because it's never appeared as "needed".
  Those two statements are totally noncongruent. You don't decline an update because it is or is not needed, or was or was not ever reported as needed, you decline an update because it will **NEVER** be needed again at all.
  None of the four updates I mention came out since I installed WSUS.
  Correct, but not really relevant.
  KB2478662 (MS11-039, Jun 2011) - already explained. NOT superseded, except for ITANIUM systems, which was superseded by MS11-069.
  KB2539635 (MS11-069, Aug 2011) - SUPERSEDED by KB2633873 (MS12-016, Feb 2012), KB2604115 (MS12-035, May 2012), KB2729452 (MS12-074, Nov 2012), KB2742599 (MS13-004, Jan 2013), and KB2972100 (MS14-057, Oct 2014).
  KB2633873 (MS12-016, Feb 2012) - SUPERSEDED by KB2604115 (MS12-035, May 2012), KB2729452 (MS12-074, Nov 2012), KB2742599 (MS13-004, Jan 2013), and KB2972100 (MS14-057, Oct 2014).
  KB2972100 (MS14-057, Oct 2014) - The *CURRENT* update.
  So since they all came out before you installed WSUS that means that ALL of them were ON your server the day you installed it, and TWO of them were relevant from Day One. The other two should have been immediately declined if KB2972100 was reported as 100%
  NotApplicable.
  If WSUS thinks KB2478662 is superseded, I have no idea why the Cleanup Wizard hasn't already handled it.
  There's no "think" about it. Either the update is superseded, or it is not, and whether it's superseded and what supersedes it and what it supersedes is displayed in the Update Details in the WSUS console. One need only read the screen to get the
  facts. In this case KB2478662 is NOT superseded (unless you have an Itanium server), and nothing "thinks" that it is (except you).
  As for why the Server Cleanup Wizard hasn't dealt with it, one need only understand what the Server Cleanup Wizard DOES do with superseded updates. Superseded updates are declined *IF* (and only IF):
  The update is superseded and has not been approved for at least 30 days.
  The update is superseded and not needed by any client systems or downstream servers.
  The update is superseded and the superseding update is APPROVED.
  So... the ITANIUM instance of KB2478662 will not be handled by the Server Cleanup Wizard, because you have likely not approved any ITANIUM updates that supersede it. And the other instances of KB2478662 will not be handled by the Server Cleanup Wizard because
  they are not superseded.
  So, back to your original message.
  KB2478662 WILL be "Needed" on any system where it is NOT installed, because this update is NOT superseded. Your original premise that this update is superseded is the root of all confusion.
  Furthermore, neither KB2633873 nor KB2539635 superseded that package, but they are superseded by a newer update (KB2972100) which predates the existence of your WSUS server, so the presence of KB2972100 and the absence of BK2633873 and KB2539635 is 100%
  normal and expected.
  You were correct in noting that KB2972100 does not supersede KB2478662, but that's the point at which your logic broke down and asking yourself how 'D' supersedes 'C' and 'B', and 'C' and 'B' supersede 'A', but 'D' does not supersede 'A' might have led to
  a re-evaluation of your conclusions.
  Ergo... there are *NO* false positives. What is reported is FACTUAL.
  HINT: (I've written this over a hundred times in the past five years).... The question you should be asking in such situations is NOT "What's wrong with the update?", but rather "What's wrong with the client?" or "What's wrong with
  my analysis?" The WUA evaluates applicability based on a defined set of rules, and reports the update status to the WSUS server based on the evaluation of those rules. If the update is more than a week old.. I absolutely PROMISE you that there is *NOTHING*
  wrong with the detection logic in that update and you need to focus your investigation on things other than the updates.
  As for how to handle superseded updates and update approvals, you may find some benefit from this article:
  Removing unneeded update approvals
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• TCP Hijack/TCP Segment Overwrite false positives?

  Hello all,
  I was just curious if anyone else has had many false positives with 3 signatures in particular: TCP Hijack (3250.0 - High), TCP Hijack Simplex Mode (3251.0 - High), and TCP Segment Overwrite (1300.0 - High). The reason I think they are false positives is because they occur everyday, and I've also seem them caused by internal network traffic that crosses an IPS sensor (that is, making the potentially dangerous assumption that the internal devices can be trusted). We usually see between a dozen and 3 dozen a day depending on the signature, and we have 8 IPS total deployed internally and on the perimeters.
  Has anyone else had similar experiences? If so, do you have any suggestions on how to decrease the number of false positives for these alerts?
  Thanks,
  Ryan

  I get TCP Hijack and TCP Segment Overwrite all the time. I opened a TAC case about it because it was getting out of hand, and the engineer said that TCP Hijack would be very very hard to execute and if it is getting fired a lot odds are it is a false positive.
  This was his response:
  5769 - Malformed HTTP Request
  This signature basically just looks for traffic destined to one of your web ports (defined by the WEBPORTS variable) and containing a valid HTTP request (i.e., GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT) but followed by malformed (i.e., not proper http protocol syntax) URI information. This type of malformed HTTP request can be used for a variety of exploits. Microsoft has malformed HTTP request vulnerabilities, another attack known as "http request smuggling" can be launched using malformed HTTP requests at a Squid web proxy, which may cause the web proxy and an upstream HTTP agent to disagree on the boundary between HTTP requests on a persistent connection. These are a couple of examples.
  If you open this signature in IDM and go to "Edit", you can see the regex it looks for within the http payload. Basically, it looks for a valid HTTP request followed by the hex code regex [\x20][\x21-\x7e]+[\x20]?[\x0d\x0a]. A properly formed HTTP request should not contain this hex code.
  It's possible that normal traffic could cause this, but unlikely. If you have further concerns about this signature firing, please capture the trigger packet context either by changing the signature action to 'produce verbose alert' or 'log attacker packet' for analysis. If you need assistance in analyzing these alerts, please contact TAC and open a case on this issue.
  3250 or 3251 - TCP Hijack and TCP Hijack Simplex Mode
  This signature detects attempts to insert packets into a TCP stream by an attacker in an effort to take over this session. However, if you're using inline ips mode, TCP Hijack attacks are impossible. Also, this type of attack is very rare and not easy to do, and is often a false positive. Types of things that can be used by network sniffers to detect that a TCP hijack may be happening is looking for repeated ARP updates, frames sent between client and server with different MAC addresses, or tcp ack storms.
  For these two hijack signatures, per MySDN information:
  "This signature fires upon detecting out of order ack packets. The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event."
  Thus, very likely to be false positives and unlikely to be a legitimate attack given the difficulties involved in doing this. However, it's worth checking out the source / destination of the attacks. Again though, if you are running inline mode, these attacks are impossible and you can ignore these signatures.
  About the TCP Segment Overwrite, mine is always fired for port 20 traffic from some sort of web cache server. Is that the same for you?