Microsoft DirectShow QuickTime Atom Size memory corruption error

I keep getting emails from my firewall regarding the following:

Appliance: FireboxX550e
Time: Tue Mar 08 12:49:05 2011 (CST)
Process: http
Message: Policy Name: HTTP-proxy-00 Action: ProxyDrop:  Reason: HTTP Body IPS match Source IP: 192.168.x.xxx Source Port: 2345 Destination IP: 209.243.48.54 Destination Port: 80 ips_msg: EXPLOIT Microsoft DirectShow QuickTime Atom Size memory corruption -1 signature_id: WG-1110555 threat_level: 80 signature_cat: http-client host: www.accurint.com path: /favicon.ico

I have tried restarting my firewall, checking for viruses/malware on the workstations that are reporting this, yet find nothing.  Is this an issue I should be worried about?

I am running a Windows Server 2003 controlled network, all workstations have Windows XP Pro w/ SP3 installed.

This is only one example of the email, if you need any more information, let me know.

Thanks!
LVL 1
paulms53Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Paul SolovyovskyConnect With a Mentor Senior IT AdvisorCommented:
Had this issue with a customer today, it looks like a false positive on the IPS definitions.  It will block some and cause problems with many valid sites.  

In Subcription Services go to IPS, -> Exclusions -> Addd -> WG-1110555

Make sure the WG is capital otherwise it will not take it.  I am looking to contact WG support to troubleshoot further but looks like a bad IPS signature at this point
0
 
paulms53Author Commented:
are you aware of anyone else having the same problem with the IPS definitions?
0
 
Paul SolovyovskySenior IT AdvisorCommented:
Yes, several customers have had this issue as of yesterday.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
paulms53Author Commented:
Were you able to reach any solutions w/ Watchguard?  I'm hesitant to do a case # with them since they will charge me.
0
 
Paul SolovyovskySenior IT AdvisorCommented:
Exclude this specific signature as described above, I don't see this as a major threat especially since it detects everything as a threat.
0
 
Ad-ApexCommented:
Hi everyone,

I had this same issue earlier this week.  It appears, as Paulsolov said above, to be a problem with recent signatures for the IPS that were released by WatchGuard.  I added WG-1110555 to the exceptions list in Intrusiuon Protection and it solved the issue.  I have a message out to WatchGuard inquiring about it but no one has responded. Just FYI.
0
 
paulms53Author Commented:
as an aside to the original question, does the firebox firewall come with blacklist controls for email?
0
 
paulms53Author Commented:
watchguard firebox is what i meant
0
 
Paul SolovyovskySenior IT AdvisorCommented:
If you take a look at the error it is not email related as it is on port 80

WG-1110555 threat_level: 80 signature_cat: http-client host: www.accurint.com path: /favicon.ico


The Watchguard has spamblocker as well as smtp proxy for mail filtering but that is a different issue

0
 
paulms53Author Commented:
k
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.