Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Problems with Bloodhound.Exploit.45 pattern in Symantec AV SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Problems with Bloodhound.Exploit.45 pattern in Symantec AV
We have several reports of issues with the latest definition files for Symantec AV (11/9/2005 rev. 25 at the time of writing), which added Bloodhound.Exploit.45 pattern. This definition should detect files which are exploiting MS05-053 vulnerability (Graphic Rendering Engine Vulnerability and the Windows Metafile Vulnerability).

As it turns out, this pattern seems to be generating a lot of false positives in almost any EMF files, certainly those generated by Excel (and in turn this prevents Excel from functioning properly).

The workaround at the moment is to exclude EMF files from scanning.

Let us know if you experience similar problems or have better workarounds.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Brussels February 2020

Bojan

390 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!