• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 81
  • Last Modified:

NIDS, AV & HIPS for MS Ofc memory corruptn vulner

https://www.csa.gov.sg/singcert/news/advisories-alerts/alert-on-microsoft-office-memory-corruption-vulnerability
Above is protected by McAfee NIDS/NIPS.

Q1:
Does McAfee AV & HIPS detect/protect against above CVE?

Q2:
Can I say in general NIDS/NIPS protect against CVEs (esp MS & Adobe vulnerabilities) but AV don't as AV deals with
malware & not CVEs.

Q3:
Can I safely say that if a vendor's NIDS detect/protect against the CVE, likely its HIPS will also provide the same?
In particular, referring to McAfee & TrendMicro's
0
sunhux
Asked:
sunhux
  • 2
2 Solutions
 
btanExec ConsultantCommented:
1. Yes, User Defined Signature (UDS) has been created to detect this threat. See the KB55447 mentioned in below.
https://kc.mcafee.com/corporate/index?page=content&id=SNS1111

2. Both NIPS and HIPS can detect CVE. In fact, CVE gives specific vulnerability and the signature can be more customised to target patches to be developed and released timely to remediate the gap. Just see the security bulletin from McAfee.
https://www.mcafee.com/sg/threat-center/product-security-bulletins.aspx

3. They would as a family suite since the defence in depth principle apply to detect and block at network and endpoint layer. That said, the signature effort to develop for each preventive measures in the control device is not equatable.
- Let say, if the vulnerability is pertaining to a network threat like DDOS attack, the simplest is at network level to stop at web gateway, firewall and NIPS and HIPS will only have its host firewall only.
- But if it is a malware like ransomware the content of it may not be easily detected through traffic packet but the HIPS will be in better position to inspect. Network IOCs are most IP address/port (callback & source), URL, domain as compare to HIPS that goes for behavior based action and traces on the file, registry (windows) and memory ..

Trend micro has its bulletin (focus on CVE too) - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability
1
 
sunhuxAuthor Commented:
So in general Antivirus (for McAfee & Trendmicro) don't deal with CVEs, is this right?
0
 
btanExec ConsultantCommented:
Yes and No.
Yes, because CVE is pertaining to the vulnerability in an application or system or network protocol.

No, because CVE is generally also tagged as the virus signature. E.g. ClamAV has an instance on PDF vulnerability named as "PDF.Exploit.CVE_2014_8449".
In fact, you can extract such virus signature name from VT.
virustotal-search will extract CVE numbers from AV detection signatures and report them in column CVEs.
https://blog.didierstevens.com/?s=virustotal
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now