Forefront TMG Network Inspection System Gets Its First 0-Day Signature Release

When we started developing the Network Inspection System (NIS) technology, we faced many challenges typical for an engineering project; can we meet our performance requirements for an inline system? Will our design be robust and flexible enough to address the ever-changing threats landscape? But more than anything, we couldn’t wait to see NIS in action, waiting for that 0-day to surface and see the immediate value the technology brings to Forefront TMG and our customers.

Well, this week it happened. A remote code execution vulnerability that exists in the way that Microsoft Server Message Block 2 (SMB2) Protocol parses SMB negotiation requests surfaced and immediately became a candidate for a NIS signature. As described by the Microsoft Security Response Center (MSRC) advisory  the severity of the vulnerability is critical and the potential damage from an exploit of the vulnerability is significant, which emphasized the need for a technology such as NIS for our customers.

In a matter of hours we completed root-cause analysis, signature development, testing and publishing of a new signature snapshot. During this process, which is driven by the Microsoft Malware Protection Center (MMPC), the team was able to demonstrate the agility of the core NIS technology and exercise the technologies and tools built over time to release a signature for the Vuln:Win/SMB2.Srv2.DoS!2009-3103 vulnerability in just a few hours.

 

Avi Ben-Menahem

Group Manager, Network Inspection System

Comments

• Anonymous
  January 01, 2003
  For those TMG deployments that are depending on their WSUS for updates, you'll need to point TMG to Microsoft Updates directly to make sure your NIS updates are happening.

1. open TMG management
2. navigate to Update Center
3. r-click Update Center, select Properties
4. in the Update Center Properties page, select the Microsoft Updates tab
5. in the Microsoft Updates tab, select "use the Microsot Updates service"
6. in the Update Center Properties page, select the Update Service tab
7. in the Update Service tab, select Use Microsoft Update Service directly
8. click OK to close the Update Center Properties page.
9. in the TMG management console center page, click Apply. When prompted, enter a description of the changes and click Apply
10. r-click Update Center, select Check for and Install New Updates When the update process is finished, the Network Inpection System and Malware Inspection items should have a green shield with a checkbox in it. Pleae use the Forefrone Edge forums to discuss any problems with TMG. Jim Harrison

• Anonymous
  February 21, 2012
  Hi, What if ater doing this, the updates still fail? If I select only to "Check for defiitions" I can see that there are updates to be installed, but when I click con Install New Definitions, I get the same error message. Thanks!