Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Digital Vaccine #9393

    • Updated:
    • Product/Version:
    • TippingPoint Digital Vaccine
    • Platform:
Summary
Digital Vaccine #9393      March 10, 2020
Details
Public
Thank you for subscribing to Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs.

New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com.

SMS customers can update the Digital Vaccine through the SMS client. From the top-line menu, you can open the "File > Download Digital Vaccine from TMC" menu item to detect and load the latest update.
 
System Requirements
The 3.2.0 DV will run on IPS devices with TOS v3.2.0 and above,  all NGFW and all TPS systems. The 4.0.0 DV will only run on the Virtual Threat Protection System (vTPS) appliance. Please note that vTPS does not currently support pre-disclosed ZDI filters.
 
Microsoft Security Bulletins
This DV includes coverage for the Microsoft vulnerabilities released on or before March 10, 2020. The following table maps TippingPoint filters to the Microsoft CVEs.
CVEFilterStatus
CVE-2020-0684 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0690 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0758 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0762 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0763 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0765 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0768 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0769 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0770 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0771 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0772 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0773 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0774 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0775 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0776 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0777 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0778 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0779 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0780 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0781 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0783 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0785 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0786 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0787 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0788 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0789 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0791 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0793 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0795 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0797 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0798 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0799 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0800 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0801 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0802 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0803 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0804 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0806 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0807 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0808 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0809 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0810 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0811 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0812 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0813 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0814 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0815 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0816 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0819 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0820 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0822 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0823 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-082437271 
CVE-2020-0825 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0826 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0827 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0828 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0829 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0830 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0831 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-083237270 
CVE-2020-083337269 
CVE-2020-0834 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0840 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0841 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0842 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0843 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0844 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0845 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-084737268 
CVE-2020-0848 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0849 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0850 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0851 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0852 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0853 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0854 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0855 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0857 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0858 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0859 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0860 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0861 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0863 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0864 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0865 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0866 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0867 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0868 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0869 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0871 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0872 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0874 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0876 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0877 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0879 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0880 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0881 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0882 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0883 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0884 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0885 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0887 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0891 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0892 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0893 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0894 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0896 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0897 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0898 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0903 Vendor Deemed Reproducibility or Exploitation Unlikely
CVE-2020-0905 Vendor Deemed Reproducibility or Exploitation Unlikely
Filters marked with * shipped prior to this DV, providing zero-day protection.
 
Adobe Security Bulletins
This DV includes coverage for the Adobe vulnerabilities released on or before March 10, 2020. The following table maps TippingPoint filters to the Adobe CVEs.
BulletinCVEFilter
APSB20-13CVE-2020-380437319
APSB20-13CVE-2020-380537320
Filters marked with * shipped prior to this DV, providing zero-day protection.
 
The Digital Vaccine can be manually downloaded from the following URLs:
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=digital_vaccines&contentId=SIG_3.2.0_9393.pkg
https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=vsa_dv&contentId=SIG_VTPS_4.0.0_9393.pkg

Update Details

Table of Contents
--------------------------

Filters
 New Filters - 42
 Modified Filters (logic changes) - 6
 Modified Filters (metadata changes only) - 63
 Removed Filters - 0

Filters
----------------
 New Filters:
    37038: HTTP: D-Link DAP-2610 Router login Authentication Bypass Vulnerability (ZDI-20-266)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit an authentication bypass vulnerability in D-Link DAP-2610 Router.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-8862
        - Zero Day Initiative: ZDI-20-266
      - Classification: Vulnerability - Access Validation
      - Protocol: HTTP
      - Platform: Multi-Platform Client Application

    37235: HTTP: HPE Intelligent Management Center tvxlanLegend Expression Language Injection (ZDI-20-195)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an expression language injection vulnerability in HPE Intelligent Management Center.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Zero Day Initiative: ZDI-20-195
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    37244: HTTP: Oracle E-Business Suite Human Resources CVE-2020-2587 SQL Injection Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a SQL injection vulnerability in Oracle E-Business Suite.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-2587 CVSS 6.5
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    37262: AMI: Sangoma Asterisk Originate Command Execution Request 
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects an attempt to execute a system command via the Asterisk Manager Interface (AMI) protocol.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2019-18610
      - Classification: Security Policy - Forbidden Application Access or Service Request
      - Protocol: TCP (Generic)
      - Platform: Multi-Platform Server Application or Service

    37268: HTTP: Microsoft Internet Explorer Remote Code Execution Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Internet Explorer.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-0847
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Client Application

    37269: HTTP: Microsoft Scripting Engine Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-0833
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Client Application

    37270: HTTP: Microsoft Windows Script Engine Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-0832
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Client Application

    37271: HTTP: Microsoft Windows ADO Memory Corruption Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a memory corruption vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-0824
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Client Application

    37273: HTTP: Microsoft Windows LNK Code Execution Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a code execution vulnerability in Microsoft Windows.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-0729 CVSS 6.8
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Windows Client Application

    37274: HTTP: ICGAutoExploiter Tool Usage
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Security Policy
      - Severity: Moderate
      - Description: This filter detects usage of the ICGAutoExploiter tool.
      - Deployment: Not enabled by default in any deployment.
      - Classification: Security Policy - Other
      - Protocol: HTTP
      - Platform: Multi-Platform Client Application

    37277: HTTP: ELOG Electronic Logbook drop-count Null Pointer Dereference Vulnerability (ZDI-20-252)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a null pointer dereference vulnerability in ELOG Electronic Logbook.
      - Deployment: Not enabled by default in any deployment.
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-8859
        - Zero Day Initiative: ZDI-20-252
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    37278: HTTP: Gila CMS media-assets.php Directory Traversal Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a directory traversal vulnerability in Gila CMS.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-5512 CVSS 6.8
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    37279: ZDI-CAN-9968: Zero Day Initiative Vulnerability (Microsoft JET Database)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft JET Database.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37281: ZDI-CAN-10153: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37283: ZDI-CAN-10157: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37285: ZDI-CAN-10121: Zero Day Initiative Vulnerability (Advantech WebAccess/HMI Designer)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: High
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess/HMI Designer.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37287: ZDI-CAN-10158: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37288: ZDI-CAN-10159: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37289: ZDI-CAN-10122: Zero Day Initiative Vulnerability (Advantech WebAccess/HMI Designer)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: High
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess/HMI Designer.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37291: ZDI-CAN-10160: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37292: ZDI-CAN-10161: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37293: ZDI-CAN-10162: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37294: ZDI-CAN-10163: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37295: ZDI-CAN-10164: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37296: ZDI-CAN-10165: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37297: ZDI-CAN-10166: Zero Day Initiative Vulnerability (Eaton HMiSoft)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Eaton HMiSoft.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37298: ZDI-CAN-10341: Zero Day Initiative Vulnerability (Oracle WebLogic Server)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Oracle WebLogic Server.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37299: ZDI-CAN-10397: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft Internet Explorer.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37303: SMTP: OpenBSD OpenSMTPD mta_io Out-of-Bounds Read Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in OpenBSD OpenSMTPD.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-8794
      - Classification: Vulnerability - Other
      - Protocol: SMTP
      - Platform: UNIX/Linux Client Application

    37304: HTTP: WordPress GDPR Cookie Consent Plugin Stored Cross-Site Scripting Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a cross-site scripting vulnerability in WordPress GDPR Cookie Consent Plugin.
      - Deployment: Not enabled by default in any deployment.
      - Classification: Vulnerability - Access Validation
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

    37308: ZDI-CAN-9334: Zero Day Initiative Vulnerability (Oracle Business Intelligence)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Oracle Business Intelligence.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37310: ZDI-CAN-9994: Zero Day Initiative Vulnerability (Advantech WebAccess/SCADA)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess/SCADA.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37311: ZDI-CAN-9998: Zero Day Initiative Vulnerability (Advantech WebAccess/SCADA)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess/SCADA.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37312: ZDI-CAN-10027: Zero Day Initiative Vulnerability (Microsoft SharePoint)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Microsoft SharePoint.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37319: HTTP: Adobe Acrobat Reader Out-of-Bounds Read Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: High
      - Description: This filter detects an attempt to exploit an out-of-bounds read vulnerability in Adobe Acrobat Reader.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-3804
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Multi-Platform Client Application

    37320: HTTP: Adobe Acrobat Reader Use-After-Free Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Exploits
      - Severity: Critical
      - Description: This filter detects an attempt to exploit a use-after-free vulnerability in Adobe Acrobat Reader.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - References:
        - Common Vulnerabilities and Exposures: CVE-2020-3805
      - Classification: Vulnerability - Other
      - Protocol: HTTP
      - Platform: Multi-Platform Client Application

    37321: ZDI-CAN-10126: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Adobe Acrobat Pro DC.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37322: ZDI-CAN-10132: Zero Day Initiative Vulnerability (Foxit Reader)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Vulnerabilities
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Foxit Reader.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37323: ZDI-CAN-10133: Zero Day Initiative Vulnerability (Advantech WebAccess/HMI Designer)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess/HMI Designer.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37324: ZDI-CAN-10134: Zero Day Initiative Vulnerability (Advantech WebAccess/HMI Designer)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess/HMI Designer.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37325: ZDI-CAN-10135: Zero Day Initiative Vulnerability (Advantech WebAccess/HMI Designer)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: Not available.
      - Requires: N/NX-Platform, NGFW, or TPS devices
      - Category: Exploits
      - Severity: Critical
      - Description: This filter provides protection against exploitation of a zero-day vulnerability affecting Advantech WebAccess/HMI Designer.
      - Deployments:
        - Deployment: Security-Optimized (Block / Notify / Trace)
      - Classification: Vulnerability - Other
      - Protocol: Other Protocol
      - Platform: Other Server Application or Service

    37355: HTTP: Zoho ManageEngine Desktop Central mdmLogUploader Directory Traversal Vulnerability
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Category: Vulnerabilities
      - Severity: High
      - Description: This filter detects an attempt to exploit a directory traversal vulnerability in Zoho ManageEngine Desktop Central.
      - Deployments:
        - Deployment: Default (Block / Notify)
        - Deployment: Performance-Optimized (Disabled)
      - Classification: Vulnerability - Input Validation (Command injection, XSS, SQL injection, etc)
      - Protocol: HTTP
      - Platform: Multi-Platform Server Application or Service

  Modified Filters (logic changes):
    * = Enabled in Default deployments

    29657: RPC: Advantech WebAccess Malicious IOCTL(ZDI-17-938-940,ZDI-18-009-025,18-029-054,18-058-063,18-483)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.
      - Vulnerability references updated.

    29916: HTTP: Apple Safari DFG JIT Type Confusion Vulnerability (Pwn2Own, ZDI-18-155)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Detection logic updated.

    35097: RPC: Advantech WebAccess Node bwscrp Buffer Overflow Vulnerability (ZDI-19-594)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Detection logic updated.

    36027: HTTP: Cisco Data Center Network Manager getRestoreLog Directory Traversal Vulnerability (ZDI-20-006)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36027: ZDI-CAN-9027: Zero Day Initiative Vulnerability (Cisco Data Center Network Manager)".
      - Severity changed from "Critical" to "High".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    36475: HTTP: Cisco Data Center Network Manager getSwitchDbIdBySerialNumber SQL Injection (ZDI-20-110)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36475: ZDI-CAN-9352: Zero Day Initiative Vulnerability (Cisco Data Center Network Manager)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

    36532: HTTP: Advantech WISE-PaaS/RMM UpgradeMgmt upload_ota Directory Traversal Vulnerability (ZDI-19-950)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "36532: ZDI-CAN-9173: Zero Day Initiative Vulnerability (Advantech WISE-PaaS/RMM)".
      - Description updated.
      - Detection logic updated.
      - Vulnerability references updated.

  Modified Filters (metadata changes only):
    * = Enabled in Default deployments

    20023: SMB: Mimikatz BinaryTransfer (ATT&CK T1145,T1003)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "20023: SMB: Mimikatz BinaryTransfer".

    20098: HTTP: Suspicious Obfuscated HTML Script Tags (ATT&CK T1027)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "20098: HTTP: Suspicious Obfuscated HTML Script Tags".

    22166: RDP: Windows Remote Desktop Access Over UDP  (ATT&CK T1076)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "22166: RDP: Windows Remote Desktop Access Over UDP ".

    22167: RDP: Windows Remote Desktop Access Over UDP on Non-Standard Ports (ATT&CK T1076,T1065)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "22167: RDP: Windows Remote Desktop Access Over UDP on Non-Standard Ports".

    22574: HTTP: TrendMicro Antivirus Password Manager Vulnerable API Usage (ATT&CK T1211)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "22574: HTTP: TrendMicro Antivirus Password Manager Vulnerable API Usage".

    22579: TLS: AES-CBC Cipher Suite Usage (ATT&CK T1032)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "22579: TLS: AES-CBC Cipher Suite Usage".

    22607: HTTP: Jenkins Script Code Execution Attempt (ATT&CK T1210)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "22607: HTTP: Jenkins Script Code Execution Attempt".

    23809: HTTP: HTTPTunnel Connection Attempt (ATT&CK T1090)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "23809: HTTP: HTTPTunnel Connection Attempt".

    23810: Tunnel: SoftEther VPN Connection Attempt (ATT&CK T1133)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "23810: Tunnel: SoftEther VPN Connection Attempt".

    24042: HTTP: Common JavaScript Obfuscation Techniques (ATT&CK T1027)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "24042: HTTP: Common JavaScript Obfuscation Techniques".

    24492: HTTP: Common JavaScript Obfuscation Techniques (ATT&CK T1027)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "24492: HTTP: Common JavaScript Obfuscation Techniques".

    24594: HTTP: Zip File Suspicious Uncompressed Size (ATT&CK T1002)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "24594: HTTP: Zip File Suspicious Uncompressed Size".

    24596: SMTP: GZip File Containing an Archive File (.tar.gz) (ATT&CK T1002)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "24596: SMTP: GZip File Containing an Archive File (.tar.gz)".

    25846: HTTPS: Telegram Bot API Usage (Used by Telecrypt) (ATT&CK T1102)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "25846: HTTPS: Telegram Bot API Usage (Used by Telecrypt)".

    27226: Tunneling: DNSCAT2 Tunneling Request (ATT&CK T1048)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "27226: Tunneling: DNSCAT2 Tunneling Request".

    27819: TCP: PowerShell with Base64 Encoded Script String Transfer (ATT&CK T1132,T1027,T1086)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "27819: TCP: PowerShell with Base64 Encoded Script String Transfer".

    27940: TCP: MIT Kerberos Suspicious AS-REQ Request (EskimoRoll) (ATT&CK T1212,T1208)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "27940: TCP: MIT Kerberos Suspicious AS-REQ Request (EskimoRoll)".
      - Description updated.

    28013: SMB: Request for Domain Administrators to Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28013: SMB: Request for Domain Administrators to Domain Controller".

    28014: SMB: Response for Domain Administrators from Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28014: SMB: Response for Domain Administrators from Domain Controller".

    28015: SMB: Request for Domain Users to Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28015: SMB: Request for Domain Users to Domain Controller".

    28016: SMB: Response for Domain Users from Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28016: SMB: Response for Domain Users from Domain Controller".

    28017: SMB: Request for Domain Computers to Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28017: SMB: Request for Domain Computers to Domain Controller".

    28018: SMB: Response for Domain Computers from Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28018: SMB: Response for Domain Computers from Domain Controller".

    28019: SMB: Request for Exchange Servers to Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28019: SMB: Request for Exchange Servers to Domain Controller".

    28020: SMB: Request for Domain Exchange Servers to Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28020: SMB: Request for Domain Exchange Servers to Domain Controller".

    28021: SMB: Request for All Domain Controllers from Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28021: SMB: Request for All Domain Controllers from Domain Controller".

    28022: SMB: Response for All Domain Controllers from Domain Controller (ATT&CK T1482)
      - IPS Version: 3.2.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28022: SMB: Response for All Domain Controllers from Domain Controller".

    28609: HTTP: Squid Proxy Usage (ATT&CK T1090)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28609: HTTP: Squid Proxy Usage".

    28638: DNS: TeamViewer Remote Access Tool DNS Request (ATT&CK T1133,T1219)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28638: DNS: TeamViewer Remote Access Tool DNS Request".

    28639: HTTP: TeamViewer Beacon (ATT&CK T1133,T1219)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28639: HTTP: TeamViewer Beacon".

    28640: TLS: TeamViewer Remote Access Tool Certificate Exchange (ATT&CK T1133,T1219)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28640: TLS: TeamViewer Remote Access Tool Certificate Exchange".

    28641: Tunneling: TeamViewer Remote Access (UDP) (ATT&CK T1048,T1133,T1219)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28641: Tunneling: TeamViewer Remote Access (UDP)".

    28642: Tunneling: TeamViewer Remote Access (ICMP) (ATT&CK T1048,T1133,T1219)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28642: Tunneling: TeamViewer Remote Access (ICMP)".

    28728: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment (ATT&CK T1193)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28728: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment".

    28775: HTTP: HTTP_PROXY Traffic Redirection (ATT&CK T1090,T1071)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28775: HTTP: HTTP_PROXY Traffic Redirection".

    28811: SMB: Inbound Write Andx Request (ATT&CK T1039)
      - IPS Version: 3.8.3 and after.
      - NGFW Version: Not available.
      - TPS Version: Not available.
      - vTPS Version: Not available.
      - Name changed from "28811: SMB: Inbound Write Andx Request".

    28983: SMB: PsExec Tool Usage (ATT&CK T1035)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "28983: SMB: PsExec Tool Usage".

    29079: FTP: FTP Service on Non-Standard Ports (ATT&CK T1065)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29079: FTP: FTP Service on Non-Standard Ports".

    29476: HTTP: HTTP on Non-Standard Ports (ATT&CK T1065)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29476: HTTP: HTTP on Non-Standard Ports".

    29686: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment (ATT&CK T1193)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29686: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment".

    29717: SMB: NTLMv1 Authentication Request (ATT&CK T1187)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29717: SMB: NTLMv1 Authentication Request".

    29718: SMB: NTLMv2 Authentication Request (ATT&CK T1187)
      - IPS Version: 3.1.3 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29718: SMB: NTLMv2 Authentication Request".

    29774: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment (ATT&CK T1193)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29774: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment".

    29775: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment (ATT&CK T1193)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29775: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment".

    29777: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment (ATT&CK T1193)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "29777: SMTP: Social Engineer Toolkit Spear Phishing Email Attachment".

    30103: DNS: Sensepost Data Exfiltration Toolkit DNS Query (ATT&CK T1020)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "30103: DNS: Sensepost Data Exfiltration Toolkit DNS Query".

    31570: TCP: PDF Reader Possible NTLM Credentials Leakage (ATT&CK T1212)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "31570: TCP: PDF Reader Possible NTLM Credentials Leakage".

    32069: HTTP: Code Obfuscation (Script Encoder Plus) (ATT&CK T1027)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32069: HTTP: Code Obfuscation (Script Encoder Plus)".

    32070: HTTP: MinerGate Google-Analytics Request Detected (ATT&CK T1102)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32070: HTTP: MinerGate Google-Analytics Request Detected".

    32071: HTTP: JavaScript Obfuscation (jjencode)  (ATT&CK T1027)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32071: HTTP: JavaScript Obfuscation (jjencode) ".

    32147: HTTP: JavaScript Code Obfuscation (aaencode) (ATT&CK T1027)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32147: HTTP: JavaScript Code Obfuscation (aaencode)".

    32726: HTTP: Tor Traffic Through Format Transforming Encryption (FTE) Bridge (ATT&CK T1079)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32726: HTTP: Tor Traffic Through Format Transforming Encryption (FTE) Bridge".

    32904: HTTP: Jenkins Java Deserialization Usage (ATT&CK T1210)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "32904: HTTP: Jenkins Java Deserialization Usage".

    33147: HTTP: Microsoft PowerShell XML/XSL COM Instantiation and Transformation Usage (ATT&CK T1086)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "33147: HTTP: Microsoft PowerShell XML/XSL COM Instantiation and Transformation Usage".

    33540: HTTP: HPE Intelligent Management Center ictExpertCSVDownload EL Injection Vulnerability (ZDI-19-264)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Miscellaneous modification.

    33559: HTTP: HPE Intelligent Management Center iccSelectCommand Expression Language Injection (ZDI-19-162)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Miscellaneous modification.

    33560: HTTP: HPE Intelligent Management Center deviceSelect Expression Language Injection (ZDI-19-238)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Miscellaneous modification.

    33876: IRC: Connect and Register Request Over a Non-Standard Port (ATT&CK T1065)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "33876: IRC: Connect and Register Request Over a Non-Standard Port".

    35086: HTTP: Suspicious Proxy Access (ATT&CK T1090)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35086: HTTP: Suspicious Proxy Access".

    35096: HTTP: JavaScript Obfuscation (ATT&CK T1027)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35096: HTTP: JavaScript Obfuscation".

    35120: HTTP: JavaScript Obfuscation (jfogs)  (ATT&CK T1027)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35120: HTTP: JavaScript Obfuscation (jfogs) ".

    35296: RDP: Microsoft Remote Desktop Services Negotiation Request Without CredSSP (ATT&CK T1076)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Name changed from "35296: RDP: Microsoft Remote Desktop Services Negotiation Request Without CredSSP".

    36025: HTTP: Cisco Data Center Network Manager saveLicenseFileToServer Directory Traversal (ZDI-20-004)
      - IPS Version: 3.6.2 and after.
      - NGFW Version: 1.0.0 and after.
      - TPS Version: 4.0.0 and after.
      - vTPS Version: 4.0.1 and after.
      - Description updated.
      - Vulnerability references updated.

  Removed Filters: None
  
Top of the Page
Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000247126
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.