Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Understanding why Deep Security cannot cover certain vulnerabilities

    • Updated:
    • 29 Aug 2017
    • Product/Version:
    • Cloud One - Workload Security All
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 9.6
    • Deep Security As A Service
    • Platform:
    • Linux - Red Hat RHEL 5 64-bit
    • Windows 2003 Enterprise
    • Windows 2008 Enterprise
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit

Know why there are certain vulnerabilities that we cannot create rules for making Deep Security unable to protect the system at some point.


There are several reasons why a rule is not present in Deep Security. We need to understand that the Deep Security Packet Inspection (DPI) function looks at network traffic and our rules work on the traffic that comes over the wire.

When vulnerability is local (i.e. no data passes over the wire) or where there is no data that comes over it (i.e. kernel bugs where TCP/IP headers with bad values could allow RCE or cause DoS), this is a scenario where Deep Security cannot create rules for and protect the system.

The table below summarizes the possible reasons for this behavior:

Local vulnerabilitiesVulnerability exploitable with only local access requires the attacker to either have physical access or be logged on to the vulnerable system. DPI can only detect attacks over the network.
However, we will be able to ‘detect’ using Integrity Monitoring and Log Inspection Module.
CVE-2011-0005 CSRSS Elevation of Privilege Vulnerability
Kernel vulnerabilities triggered at TCP/IP stackSince there is no data involved here, DPI cannot inspect this traffic. A good number of this falls under the above category of ‘local’. It would be a remote attack vector, but it can be triggered by continuous flow of specially-crafted TCP/UDP packets without having any payload. DPI can only inspect payload data. Most of the time these kinds of attacks might be stopped at the firewall level.Vulnerability in TCP/IP Could Allow Remote Code Execution (CVE-2011-2013) and CVE-2012-0152(RDP)
File parsingThe file format is complex to parse over the network or the format specification is not public and/or it is difficult to determine the format structure through reverse engineering.Microsoft Office Visio Viewer VSD File Type Confusion (CVE-2012-0020)
No vulnerability informationThis contributes to a large number of “not addressed” vulnerabilities. A rule can be created only when there is enough information available about vulnerability.  
Unable to distinguish good from badSometimes, there is no difference between good and bad traffic. The chances of false positive are high in these cases. However, we will be able ‘detect’ some using Integrity Monitoring and Log Inspection Module. PowerDNS Recursor "ghost domain names" vulnerability (CVE-2012-1193)
Requires knowledge of server configurationSometimes, a benign looking request can be malicious based on server configuration. Apache Tomcat "RemoteFilterValve" Security Bypass Security Issue (CVE-2008-3271
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.