 AGENT RELEASE, VERSION 31.55
-------------------------------------------

  Version 31.55 is a maintenance release containing all
  features of release 29.55 along with 3 additional bug fixes.

  It is based on version 30.55, an internal release used to
  validate fixes to the 29.55 release.

================================================================================
                              Table of Contents
================================================================================
NEW FEATURES
RESOLVED ISSUES
PREVIOUS RESOLVED ISSUES
PRODUCT COMPATIBILITY NOTICE
MODIFIED SIGNATURES - REMINDER
SUPPORTED PLATFORMS 
NEW SIGNATURES
ADDITIONAL CODE CHANGES
KNOWN ISSUES IN VERSIONS 29.55 and 31.55
NOTES AND REMARKS
LEVELS AND DESCRIPTIONS OF NEW SIGNATURES
SIGNATURES LISTED ALPHABETICALLY 
 - WINDOWS SIGNATURES
 - SOLARIS SIGNATURES
 - HP SIGNATURES

================================================================================

NEW FEATURES (no change from 29.55 release)

 -  Agent supports two additional platforms: Windows XP and Windows 2003
 -  Support has been discontinued for the 5.6 version of the Solaris OS
 -  Support has been discontinued for the Solaris login monitoring engine

================================================================================

RESOLVED ISSUES (new in 31.55 release)

 - Windows -- the Agent can leak non-paged pool memory at a significant
   rate when file system unmounts are performed and the Agent "re-hook"
   operation fails, such can occur as when using Veritas backup.
   Eventually this leak can lead to memory starvation and a system hang.

 - Windows -- when updating an existing Agent to a new Agent version (29.55
   or earlier), the new Agent may fail to restart after the update is complete.
   If this happens, the message "Failed to initialize Scrutinizer" is written
   to both the CSlog file and the Windows NT event log, and a System Event with
   the text "Failure stage: initialization - Agent Terminated" is generated. A
   reboot of the system corrects the problem without any further action.  If a
   system reboot would be incovenient, it might be possible to work around the
   problem by performing the following steps [WORKAROUND TO AVOID REBOOT]:
              Step 1) Locate all sessions under terminal services and/or
                      remote desktop
              Step 2) Log these sessions out (including one's own admin session
                      if applicable)
              Step 3) Reconnect to the host if needed
              Step 4) Manually start the Entercept agent using Services Manager
   If the above workaround does not result in the agent starting, then a reboot
   will be necessary.  As stated before, after the reboot the agent should start
   without further action.

 - Solaris with the Apache Web server -- if a large (>3 KB) POST request is
   cancelled, the Web server process servicing the request can enter a loop state,
   causing Web server performance degradation. This new Agent version (31.55)
   assures that the server process does not loop.

================================================================================

PREVIOUS RESOLVED ISSUES (no change from 29.55 release)

 - On Solaris -- The lockup that required the system to be rebooted manually.

 - On Windows systems using Exchange 2000 SP4 -- The OWA authentication that
   caused a system failure after app. 30 minutes of operation.

 - On Windows systems --  The memory leak when executing programs 
   such as MS Health Monitor from MS App Center 2000.

 - On Windows systems -- The BSOD that occurred using Exchange 2000 and/or Trend 
   Micro AV.

================================================================================

PRODUCT COMPATIBILITY NOTICE (no change from 29.55 release)

 - Some products and applications that employ a technique generally known
   as "user-mode API hooking" are not compatible with this release or earlier
   releases of the agent. The technique is used by only a very small subset of 
   products, and McAfee Entercept is incompatible with a subset of these 
   products. In case of an incompatibility, the McAfee Entercept agent and the 
   product cannot coexist on the same machine. There is ongoing work to resolve 
   these compatibility issues in future releases of the product. 

   Currently, there is a known incompatibility between the McAfee Entercept agent
   and the Liquid Machines product.

================================================================================

MODIFIED SIGNATURES - REMINDER (no change from 29.55 release)

 - Signatures that are no longer relevant since the support for Windows NT now
   starts at Service Pack 6a and other unsupported signatures were removed. 
   See section NOTES AND REMARKS for a listing of these signatures.

 - Signatures not relevant for Windows XP and Windows 2003 are not deployed on
   these platforms.

 - Signatures for Windows NT/2000 were modified to work on Windows XP and
   Windows 2003.
 
================================================================================

SUPPORTED PLATFORMS (no change from 29.55 release)

This agent supports the following operating systems:
 - Windows NT 4.0 Workstation (Service Pack 6a)
 - Windows NT 4.0 Server and Enterprise Server (Service Pack 6a)
 - Windows 2000 Professional (up to SP4)
 - Windows 2000 Server and Advanced Server (up to SP 4)
 - Windows XP (up to sp 1)
 - Windows 2003 Server 
 - Solaris 7 SPARC architecture 4u (32- and 64-bit kernel)
 - Solaris 8 SPARC architecture 4u (32- and 64-bit kernel)
 - Solaris 9 SPARC architecture 4u (32- and 64-bit kernel)
 - HP 11 (64-bit kernel)
 - HP 11i (64-bit kernel)

This agent protects the following Web Servers:

 - IIS 4.0, 5.0 and 6.0 (Windows)
 - Apache 1.3.6 and up (SPARC Solaris)
 - Apache 2.0.42 and up. (SPARC Solaris)
 - Netscape Enterprise Server 3.6 (SPARC Solaris)
 - iPlanet Web Server 4.0 and 4.1 (SPARC Solaris)
 - SunOne 6 (SPARC Solaris)

This Agent protects the following Database Servers:

 - Microsoft SQL Server 2000 (Windows)

================================================================================

NEW SIGNATURES (no change from 29.55 release)


This agent contains new signatures. They are detailed in 
section "LEVELS AND DESCRIPTIONS OF NEW SIGNATURES".

 - 1151 Message Queue Service Buffer Overflow 
 - 1280 IIS6 Shielding - File Access
 - 1281 IIS6 Shielding - File Execution
 - 1282 IIS6 Shielding - File Modification
 - 1283 IIS6 Shielding - File Modification in System Folder
 - 1284 IIS6 Shielding - Log File Access
 - 1285 IIS6 Shielding - Log Files Modification
 - 1286 IIS6 Shielding - Conf. File Activ.
 - 1287 IIS6 Shielding - Conf. File Activ. (ADMCOMConnect)
 - 1288 IIS6 Shielding - Registry Modification
 - 1289 IIS6 Shielding - Service Modification
 - 1260 IIS6 Envelope - File Access by IIS Process
 - 1261 IIS6 Envelope - File Access by IIS Web User
 - 1262 IIS6 Envelope - File Execution by IIS Process
 - 1263 IIS6 Envelope - File Execution by IIS Web User
 - 1264 IIS6 Envelope - File Modification by IIS Process
 - 1265 IIS6 Envelope - File Modification by IIS Web User
 - 1266 IIS6 Envelope - Registry Mod. by IIS Process
 - 1267 IIS6 Envelope - Registry Mod. by IIS Web User
 - 1268 IIS6 Envelope - Service Mod. by IIS Process
 - 1269 IIS6 Envelope - Service Mod. by IIS Web User
 - 2300 Internet Explorer Hardening Disabled
 - 2400 IIS6 Web Admin Cross-Site Scripting Attack


================================================================================

ADDITIONAL CODE CHANGES (no change from 29.55 release)

 - The engine that monitors logon activity on Solaris was removed from the 
   agents.

================================================================================

KNOWN ISSUES IN VERSIONS 29.55 AND 31.55

 - Liquid Machines and Entercept agent Version 29.55/31.55 are incompatible
   products.  
   For more information, please refer to the "PRODUCT COMPATIBILITY NOTICE" in 
   this document.

 - On Windows 2003, when first installed, the engine for IIS 6 may, on
   occasion, fail to initialize completely. The result is that HTTP requests
   are not filtered by the agent. If this occurs, manually shut down the agent
   and change the following registry value:

     \\HKEY_LOCAL_MACHINE\SOFTWARE\Entercept\EnterceptAgent\
          Engines\ISAPI\Control\DesiredState

   to the value '0x2', then restart the agent.


================================================================================

NOTES AND REMARKS (no change from 29.55 release)

The following general notes and troubleshooting remarks are relevant for this 
Agent:

 - 03/2004
   Customers that have built a "silent install" package on top of the agent 
   installer might see that agent self-protection signatures are triggered during 
   the silent installation. Reason is that the McAfee Entercept agent starts 
   monitoring before the silent install has completely finished. For example if 
   the silent install manipulates McAfee Entercept agent registry keys the agent 
   self-protection signature "Entercept Agent Shielding - Registry Access" might 
   be triggered. The workaround is to create an exception for this signature that 
   excepts the silent install application for all Agents.

 - 03/2004
   Signatures that are no longer supported were removed. They are:
     1325 Failed Logon Attempt (Solaris)
     1348 Successful  Logon (Solaris)

 - 10/2003
   Entercept agent is not compatible with F-Secure Policy Manager Console
   (by F-Secure Corp.) 

 - 10/2003
   Installing new software, hot fixes and service packs is likely to trigger
   events that monitor file and registry keys. Triggering depends on the
   security policy used by the agent (tighter security policies monitor more
   parameters and are therefore more likely to trigger signatures)

 - 10/2003
   Backup applications like Veritas and Legato Networker open files without
   modifying them. This causes these applications to trigger signatures that
   monitor files. Typical signatures that are triggered are Entercept self-
   protection signatures and the IIS and MSSQL Shielding signatures. To avoid
   triggering events by these applications, the user is advised to create
   exceptions for these applications and signatures.  

 - 10/2003
   The following events can be triggered when the agent changes from one 
   version to another:
     IIS Envelope  File Modification by IIS Process
     MSSQL Core Envelope  File Modification by MSSQL Process
     MSSQL Aux. Envelope  File Modification by MSSQL Process
   These events can be safely ignored; the Agent version change finishes as
   expected even with the agent in Protection mode.

 - 10/2003
   Signatures that are no longer supported were removed. They are:
     460 Local Group Creation  
     506 MSSQL Core Shielding - User Account Modification  
     516 MSSQL Aux. Shielding - User Account Modification  
     526 MSSQL Core Envelope - User Mod. by MSSQL  
     536 MSSQL Aux. Envelope - User Account Mod. by MSSQL  
     706 User Account Disabled or Enabled  
     707 Guest Group Membership Modification  
     708 Everyone Group Permissions Modification  
     709 User Account Lockout Enabled or Disabled  
     712 Password Change Disabled  
     713 Password Expiration Disabled  
     714 First Login Password Change Disabled  
     716 Minimum Password Length Policy Modification  
     717 Account Lockout Policy Modification  
     718 Minimum Password Age Policy Modification  
     719 Password Uniqueness Policy Modification  
     751 Guest Account Added to Administrator Group
     991 User Added to Administrator Group  
     996 User Account Created  
     997 User Account Renamed  
     998 User Account Deleted  
     1003 Entercept Agent Shielding - User Account Access
     1034 Entercept Mgmt Server Shielding - User Account Mod.  
     1203 IIS Shielding - User Account Modification  
     1209 IIS Envelope - User Account Mod. by IIS Process  
     1228 IIS Envelope - User Account Mod. by IIS Web User  
     1247 IIS Shielding - FTP User Account Modification  
   The removal means that the agent no longer contains these signatures; 
   therefore, these signatures cannot be enabled. These signatures do show 
   up in the console for backward compatibility with older agent versions.

 - 10/2003
   Signatures that are no longer relevant and were removed since the 
   support for Windows NT 4.0 now starts at Service Pack 6a. They are:
     418 GetAdmin Privilege Escalation	
     420 Sechole Privilege Escalation
     444 HackDLL Privilege Escalation
     446 Besysadmin Privilege Escalation
     447 Insert Menu DoS Exploit
     498 Damage Menu DoS Exploit
     833 RFPoison Denial Of Service
     842 IIS MDAC/RDS Exploit
     849 RASMAN Pathname Modification
     884 Screen Saver BeAdmin Exploit
     971 LPC Privilege Escalation
   The removal means that the agent no longer contains these signatures; 
   therefore, these signatures cannot be enabled. These signatures do show 
   up in the console for backward compatibility with older agent versions.

 - 07/2003
   An attempt to manually run the agent updater ("eAgentUpdater.exe") in
   protection mode fails. You are advised to put the agent that runs on
   the management server in Warning mode and then run the agent updater. 
 
 - 07/2003
   The file attributes that are monitored by the McAfee Entercept agent are those 
   that are found on the "General" tab of the Properties window of a file. These
   attributes are "Read-only", "Hidden", and those under the "Advanced" button.
   This means that the settings for file auditing, file permissions, file (web)
   sharing, the file owner(s) which are found on the tabs "Sharing", "Web Sharing"
   and "Security" are not monitored. These observations are equally valid for
   folders.

   McAfee Entercept security events can be triggered by just opening the 
   properties window of a file (right-click the file or folder and choose 
   Properties). This behavior might be unexpected and can be explained by the way 
   Windows Explorer handles files. When Windows Explorer shows the file properties, 
   it actually opens the file for a "write" operation. In the scenario where one 
   opens the properties window of a file that is being monitored by an McAfee 
   Entercept rule, an event is triggered. The same behavior can be observed if you 
   switch between the tabs in the Properties window, or if you change any of 
   settings  for file auditing, file permissions, file (web)sharing, or the file 
   owner(s).
  
   The aforementioned behavior can lead to the assumption that McAfee Entercept 
   protects settings for file auditing, file permissions, file (web) sharing, or 
   the file owner(s), because an event might show up when changing these settings. 
   However, such events are triggered because Windows Explorer opens the file for 
   "write" to make changing these settings possible.

 - 03/2003
   The non-Vault signatures that used to be at level info and low are now at
   level disabled. In order to re-enable these signatures it is advised to:
     A) Change the signature level to info from disabled using the 
	"Configuration - Signatures" screen in the console
     B) Closely monitor the console for security events that are triggered for 
        these signatures after their re-enabling 
     C) Define exceptions as needed on the console in case these events are
        triggered because of legitimate activity
     D) Once you feel that the proper McAfee Exceptions are set and no events 
        are generated from legitimate activities, change the signature level 
        to low, medium, or high from info. The choice for low, medium 
        or high depends on the desired agent reaction in Protection mode and 
        your console policy settings. For the out-of-the-box default console 
        policy, the signature levels medium and high are tied to the agent 
        reaction Prevent. The level low is tied to the agent reaction Log.
       
 - 3/2003
   Upon reboot, the following signatures are known to trigger events:
   by process WinMngt.exe:
      "Entercept Agent Shielding - File Access or Mod."
      "MSSQL Aux. Shielding - File Modification"
      "IIS Shielding - File Execution"
      "IIS Shielding - Service Modification"
      "IIS Shielding - Registry Modification"
   by process Winlogon.exe
      "IIS Shielding - File Modification"
   These events can be safely ignored when they occur during a reboot.

 - 3/2003
   In case Internet Explorer is used to browse to protected folders a self-
   protection or shielding event can be triggered. For example browsing to the
   folder with the McAfee Entercept management server files results in the event 
   "Entercept Mgmt Server Shielding - File Mod."

 - 3/2003
   Restarting MS SQL Server on a machine that runs Norton Anti-Virus is known
   to trigger the following events:
      "MSSQL Core Shielding - File Modification"
      "MSSQL Core Envelope - File Modification by MSSQL"
      "MSSQL Aux. Shielding - File Modification"
      "MSSQL Aux. Envelope - File Modification by MSSQL"
   where the file is a DLL file in the Windows system directory.  


 - 4/2002
   Copying the public key from a network mapped drive during an agent 
   installation is possible only if you install from a CD or a local drive.

 - 4/2002
   The agent protects multiple (up to 5) iPlanet Web Servers on the same 
   machine.

 - 9/2001
   For all Web Servers, the agent scans the Web Server configuration only once 
   when the agent starts. Therefore, any configuration change in the Web Server 
   is identified by the agent only after the agent restarts the next time.

 - 9/2001
   In Apache, Netscape, and iPlanet, when the agent starts, the agent detects 
   that the Web Server exists only if the Web Server is up and running (at 
   least the administration Web Server, if there is one). However, once the Web 
   Server is detected and scanned successfully (the ApacheInfo or IplanetInfo 
   files are generated), the agent uses the existing files if the Web Server is 
   not running when the agent starts. 
   NOTE: A warning message appears in the console in the Agent>Properties>
   Application tab for the agent using an old information file.

 This has two effects:
 - The Web Server must be up and running the first time the agent starts,
   otherwise the Web Server is not detected.
   NOTE: You can fix this by starting the Web Server and restarting the agent. 
 - If the Web Server is uninstalled, the agent still uses the old scanned 
   information. 
   NOTE: You can fix this by removing the ApacheInfo or IplanetInfo files 
   from the agent directory.

 - 9/2001
   The Apache Web Server is an open source product. You can download the 
   product and install it or you can download the sources and compile them 
   with various flags. McAfee Entercept has no way to differentiate between these 
   two installation techniques, but we support only the first method because 
   we have no control over the second method. Besides being able to change the 
   compilation flags, you can also change the code and then compile the Web 
   Server. If the Apache Web Server is compiled without the DSO option, the 
   agent cannot detect the Web Server. The DSO option allows loading modules 
   into the Apache Web Server. 

 - 9/2001
   If the Solaris OS is not patched in at a high enough level, the Apache 
   module causes the Apache Web Server to crash. Investigation shows that 
   this is a defect in Solaris/Apache and not the agent. In higher patch 
   levels there is no problem. Consequently, the agent checks the current 
   patch level of Solaris and if the level is not high enough, the Apache 
   module does not load and Apache is not supported (the agent is still 
   installed and functions). An appropriate message appears in the 
   Agent>Properties>Application tab on the console  The specific patch 
   levels are as follows: 
   - 105181-05 or greater for Solaris 2.6
   - 106541-08 or greater for Solaris 2.7
   - no limitations for Solaris 2.8 
   NOTE: You cannot bypass this patch level enforcement by setting an 
   environment variable ENCPT_HTTP_NO_PATCH_CHECK to any value.
 
 - 9/2001
   Various dependencies exist between the Shielding signatures. For example, 
   the read access is considered a private case of the write access. If a 
   process is accessing a file both for read and write, the related write 
   (modification) signature is triggered. Also, if a file is mapped as a CGI, 
   for example, but resides in the Web Server installation directory, it 
   is considered a CGI file and not a server file.

 - 9/2001
   The read/write differentiation is determined by the mode in which the 
   files are being opened. If a process opens a file for both read and write, 
   but actually is not going to write to the file, the access is still 
   considered a write access.

 - 9/2001
   Unlike IIS shielding, iPlanet shielding does not monitor stopping and 
   starting the administration server or the various Web Servers. This is 
   also true for the servers processes. Informational signatures do not 
   prevent stopping/starting of the servers.

 - 9/2001
   The Web Servers resources that are not under the Web Server primary 
   installation directory are not protected. Specifically, shared system 
   libraries that are used by the Web Servers (as well as other applications) 
   are not protected.

 - 7/2001
   False positives are known for Windows 2000 Servers using Active Directory 
   in a Child Domain. For this setup, the security events "Print Provider 
   Modification" and "Microsoft Registry Keys Modification" are generated 
   regularly. You need to define exceptions for these events.

 - 7/2001
   Signatures that monitor deletion of registry keys or values, are triggered 
   if regedit.exe is used to create that particular registry key or value. The 
    resulting security event is a false positive.

 - 7/2001
   Before applying any patches, the agent service must be stopped.

 - 7/2001
   On a Windows NT Server with SP4, a Dr. Watson message appears if you
   attempt to define or alter a Web Share, using the Windows Explorer while the 
   agent is in Protection mode. Use the Microsoft Management Console (MMC) and 
   not Windows Explorer in this case.

================================================================================

LEVELS AND DESCRIPTIONS OF NEW SIGNATURES (no change from 29.55 release)

 - 1151 Message Queue Service Buffer Overflow (red)
   This event indicates that a buffer overflow attack was attempted against the 
   Message Queue Service.

   A buffer overflow is an attack technique that exploits a software design bug 
   in an application to make it execute arbitrary code. As this code execution 
   will occur in the security context of the application (which often is at a 
   highly privileged or administrative level), intruders now have the means to 
   execute commands usually not accessible to them as regular users. If not 
   prevented, an attacker could use this vulnerability to execute custom hacking 
   code on the machine and compromise its security and data integrity.

 - 1260 IIS6 Envelope - File Access by IIS Process (disabled)
   This event indicates that one of the IIS processes tried to read a file 
   outside its own directory or the web root directories. The IIS processes should 
   be allowed to read files only in a set of predefined folders. Any access to 
   files outside these folders may be an indication of an intrusion event.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against 
   external access. The shield protects resources (files, registry keys, user 
   accounts, processes, etc.) that are part of the protected application. A 
   Shielding event indicates that a process or user not related to the protected 
   application is attempting to access one of the resources of the protected 
   application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1261 IIS6 Envelope - File Access by IIS Web User (disabled)
   This event indicates that an attempt to read a file outside the IIS web root 
   directory by the IIS web site Anonymous user was detected. Anonymous access 
   is used to enable users to connect to the web site without using a password. 
   Access of the IIS web site Anonymous user should be restricted to the web root 
   directory. Any access to files outside the web root may be an indication of an 
   intrusion event.
 
   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against 
   external access. The shield protects resources (files, registry keys, user 
   accounts, processes, etc.) that are part of the protected application. A 
   Shielding event indicates that a process or user not related to the protected 
   application is attempting to access one of the resources of the protected 
   application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1262 IIS6 Envelope - File Execution by IIS Process (orange)
   This event indicates that one of the IIS processes has tried to execute files 
   outside its own directory or the root directories for which IIS has execute 
   permissions. The IIS processes should be allowed to execute files only in a 
   set of predefined folders. Any file execution outside these folders may be an 
   indication of an intrusion event.

   This event is triggered when web applications need to execute files that exist 
   outside the virtual directory. In these situations, this event would be a 
   false positive. However, this could be an indication for a real intrusion, 
   especially if the file being executed is cmd.exe (typically used to provide 
   a remote shell to attackers). We recommend creating exceptions for files that 
   are legitimate parts of the web application, and that trigger this event. If 
   the web application needs to use cmd.exe in order to execute system commands, 
   we recommend that a new directory with cmd.exe be created. Once cmd.exe is 
   located in the new directory, create an exception allowing the web application 
   to execute cmd.exe in that specific directory. Attempts to execute the original 
   cmd.exe will still be blocked.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, 

 - 1263 IIS6 Envelope - File Execution by IIS Web User (orange)
   This event indicates that an attempt to execute a file outside the IIS web root 
   directory by the IIS web site Anonymous user was detected. Anonymous access is 
   used to enable users to connect to the web site without using a password. The 
   access of the IIS web site Anonymous user should be restricted to the web root 
   directory. Any file execution outside the web root may be an indication of an 
   intrusion event.

   This event is triggered when the user account associated with the web server 
   service executes resources that do not belong to the web server. If that user 
   account is used for an interactive system logon, then operations done by that 
   user will trigger this event if they involve resources outside the web servers 
   virtual directories. We do not recommend using that user account for interactive 
   logons. If there is a necessity to do so, you need to create appropriate 
   exceptions.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1264 IIS6 Envelope - File Modification by IIS Process (orange)
   This event indicates that one of the IIS processes has tried to modify a file 
   outside its own directory or the web root directories. Any modification of files 
   outside these folders may be an indication of an intrusion event.

   This event is triggered when the web server opens files outside the web server 
   virtual directory for write access. Typically, web applications only use files 
   located in the virtual directory. However, some web applications use files 
   located on the system drive in order to read configuration or other data. If the 
   file accessed in the event belongs to the web application, we recommend you 
   create an exception that allows access to either the file accessed or the 
   directory containing this file, as appropriate.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1265 IIS6 Envelope - File Modification by IIS Web User (orange)
   This event indicates that an attempt to modify a file outside the IIS web root 
   directory by the IIS web site Anonymous user was detected. Anonymous access is 
   used to enable users to connect to the web site without using a password. The 
   access of the IIS web site Anonymous user should be restricted to the web root 
   directory. Any modification of files outside the web root may be an indication 
   of an intrusion event.

   This event is triggered when the user account associated with the web server 
   service modifies resources that do not belong to the web server. If that user 
   account is used for an interactive system logon, then operations done by that 
   user will trigger this event if they involve resources outside of the web 
   servers virtual directories. We do not recommend using that user account for 
   interactive logons. If there is a necessity to do so, you need to create 
   appropriate exceptions.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1266 IIS6 Envelope - Registry Mod. by IIS Process (orange)
   This event indicates that an attempt to edit a registry key or value by one of 
   the IIS processes was detected.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1267 IIS6 Envelope - Registry Mod. by IIS Web User (orange)
   This event indicates that an attempt to edit a registry key or value by the IIS 
   web site Anonymous user was detected.

   This event is triggered when the user account associated with the web server 
   service modifies resources that do not belong to the web server. If that user 
   account is used for an interactive system logon, then operations done by that 
   user will trigger this event if they involve resources outside of the web 
   servers virtual directories. We do not recommend using that user account for 
   interactive logons. If there is a necessity to do so, you need to create 
   appropriate exceptions.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1268 IIS6 Envelope - Service Mod. by IIS Process (orange)
   This event indicates that an attempt to start, stop or change the settings of 
   a service by one of the IIS processes was detected.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1269 IIS6 Envelope - Service Mod. by IIS Web User (orange)
   This event indicates that an attempt to start, stop, or change the settings of 
   a service by the IIS web site Anonymous user was detected.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1280 IIS6 Shielding - File Access (disabled)
   This event indicates that an attempt to read a file in the IIS web root 
   directory by a process other than an IIS process was detected. Only the IIS 
   processes are authorized to read files in the Web root. An attempt to read them 
   with a different process may be an indication of an intrusion event. For further 
   information, see the userid and process involved in the action.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1281 IIS6 Shielding - File Execution (yellow)
   This event indicates that an attempt to execute a file in the IIS web root 
   directory by a process other than an IIS process was detected. Only the IIS 
   processes are authorized to execute files in the Web root. An attempt to 
   execute them by a different process may be an indication of an intrusion event. 
   For further information, see the userid and process involved in the action.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1282 IIS6 Shielding - File Modification (yellow)
   This event indicates that an attempt to modify a file in the IIS web root 
   directory was detected. An attempt to modify files may be an indication of an 
   intrusion event. For further information, see the userid and process involved in 
   the action.

   Shielding and Enveloping are the framework used by McAfee Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1283 IIS6 Shielding - File Modification in System Folder (yellow)
   This event indicates that an attempt to modify or execute a file in the IIS 
   system directory by a process other than an IIS process was detected.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1284 IIS6 Shielding - Log File Access (yellow)
   This event indicates that an attempt to read a web site log file by a process 
   other than an IIS process was detected.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1285 IIS6 Shielding - Log Files Modification (yellow)
   This event indicates that an attempt to modify a web site log file by a process 
   other than an IIS process was detected.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1286 IIS6 Shielding - Conf. File Activ. (yellow)
   This event indicates that an attempt to read, modify or execute one of the IIS 
   configuration files were detected. These files should be accessed only by the 
   web site Administrators, and a specific exception should be created for them.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1287 IIS6 Shielding - Conf. File Activ. (ADMCOMConnect) (yellow)
   This event indicates that an attempt to connect to IIS using MMC locally or 
   remotely was detected.

   A known false positive occurs for application inetinfo.exe after opening the 
   properties window of a folder or a file.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1288 IIS6 Shielding - Registry Modification (yellow)
   This event indicates that an attempt to edit an IIS registry key or value 
   was detected. Some of the IIS settings are stored in the registry, and any 
   attempt to change them may be an indication of an intrusion event.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.

 - 1289 IIS6 Shielding - Service Modification (yellow)
   This event indicates that an attempt to start, stop, or change the settings of 
   one of the services required for the normal operation of IIS was detected.

   Shielding and Enveloping are the framework used by Entercept to protect 
   applications (such as Web Servers, databases and the McAfee Entercept management 
   server and agent).

   Shielding an application provides protection of the application against external 
   access. The shield protects resources (files, registry keys, user accounts, 
   processes, etc.) that are part of the protected application. A Shielding event 
   indicates that a process or user not related to the protected application is 
   attempting to access one of the resources of the protected application.

   Enveloping protects against malicious use of the enveloped application. The 
   envelope contains all resources the application requires (files, registry keys, 
   user accounts, processes, etc.). McAfee Entercept allows the application to 
   access the resources inside the envelope. Any attempt to access resources 
   outside the envelope can signify malicious behavior and is blocked. An Envelope 
   event indicates that a process or user related to the enveloped application is 
   attempting to access a resource that is not inside the application's envelope.


 - 2300 Internet Explorer Hardening Disabled (orange)
   This event indicates that Internet Explorer has been configured to not enforce 
   the hardened default security settings. This might lead users to inadvertently 
   submit sensitive information, allow mobile code execution, or do other activities 
   not recommended when working with non-secure sites. It is recommended to 
   configure Internet Explorer in a way that only known and trusted sites should be 
   added to the trusted sites list rather than disabling the hardening of the 
   browser.

 - 2400 IIS6 Web Admin Cross-Site Scripting Attack (red)
   This event indicates that a Cross-Site Scripting attack was attempted against 
   Microsoft's Internet Information Server (IIS) through a request made to the Web 
   Admin interface. This attack makes use of a vulnerability in the 
   Web_LogSettings.asp script which lack proper HTTP input validation.

================================================================================


SIGNATURES LISTED ALPHABETICALLY (no change from 29.55 release)

WINDOWS

717 Account Lockout Policy Modification (disabled)
944 Administrative Shares Enabled (disabled)
890 AEDebug RegKey Permissions Modification (disabled)
1013 Agent Mode Remotely Changed to Protection (disabled)
1012 Agent Mode Remotely Changed to Warning (disabled)
1011 Agent Remote Control Disabled (disabled)
1010 Agent Remote Control Enabled (disabled)
379 Alerter Service Activation (disabled)
380 Alerter Service Startup Mode Modification (disabled)
355 AllowSpecialCharsInShell RegKey Modification (disabled)
801 Anonymous User Name Lookup (disabled)
346 AppId RegKey Permissions Modification (disabled)
844 Authentication Library Modification (yellow)
404 Authentication Packages Modification (disabled)
953 Authentication Protocol Settings Modified (disabled)
338 Automatic Logon at Startup Enabled (disabled)
961 Autorun File Created (red)
804 BackOffice Installation Log File Access (disabled)
825 BackOrifice 2000 Trojan (red)
446 Besysadmin Privilege Escalation (disabled)
917 Caching of Logon Information Enabled (disabled)
803 CD-ROM AutoRun Enabled (disabled)
891 Change of Debugger Executable (red)
850 Change of Service Executable (yellow)
435 Classes Root RegKey Permissions Modification (disabled)
847 Common User Startup Folder RegKey Modification (disabled)
107 CrashControl Registry Key Modification (disabled)
108 CrashControl Registry Value Modification (disabled)
353 CurrentVersion RegKey Permissions Modification (disabled)
1134 Custom Debugger Attached to a Process (orange)
498 Damage Menu DoS Exploit (disabled)
896 Dialer Initialization File Modification (disabled)
916 Display of Last Logon Name Enabled (disabled)
412 Double File Extension Execution (red)
958 Dr. Watson user.dmp Permissions Vulnerability (orange)
354 Drive AutoPlay Settings Modified (disabled)
972 Elevation of Privileges With Debug Registers (red)
1020 Entercept Agent Shielding - File Access (disabled)
1001 Entercept Agent Shielding - File Modification (red)
1002 Entercept Agent Shielding - Registry Access (red)
1000 Entercept Agent Shielding - Service Access (red)
1003 Entercept Agent Shielding - User Account Access (disabled)
1030 Entercept Mgmt Server Shielding - File Access (disabled)
1032 Entercept Mgmt Server Shielding - File Execution (red)
1031 Entercept Mgmt Server Shielding - File Mod. (red)
1036 Entercept Mgmt Server Shielding - Priv. Key Access (red)
1033 Entercept Mgmt Server Shielding - Registry Mod. (red)
1035 Entercept Mgmt Server Shielding - Service Mod. (red)
1034 Entercept Mgmt Server Shielding - User Account Mod. (disabled)
912 Event Log File or Related File Attribute Modified (orange)
911 Event Log File or Related File Deleted (orange)
987 Event Log File or Related File Modification (orange)
914 Event Log File Path Modified (orange)
915 Event Log Guest Access Enabled (red)
913 Event Log Registry Permissions Modified (orange)
111 Event Log Registry Setting Modified (yellow)
112 Event Log Service Setting Modification (orange)
113 Event Log Service State Change (orange)
708 Everyone Group Permissions Modification (disabled)
1141 Exchange Server Buffer Overflow (red)
954 Failed Logon Attempt (Windows) (disabled)
812 File System Tunneling RegKey Modification (disabled)
714 First Login Password Change Disabled (disabled)
899 Fpnwclnt.dll Password Filter Modified (yellow)
428 Generic Buffer Overflow (red)
418 GetAdmin Privilege Escalation (disabled)
994 Group Policy Object Access (disabled)
751 Guest Account Added to Administrator Group (disabled)
707 Guest Group Membership Modification (disabled)
444 HackDLL Privilege Escalation (disabled)
892 HKLM Classes Registry Modification (disabled)
1127 IIS %u (UTF) Encoding (orange)
1217 IIS .HTR File Extension Request (red)
941 IIS .htw Cross-Site Scripting (red)
1220 IIS .IDC File Extension Request (red)
1216 IIS .printer File Extension Request (red)
942 IIS .shtml Cross-Site Scripting (red)
876 IIS +.htr File Fragment Reading (red)
431 IIS 4.0 FTP Buffer Overflow (red)
863 IIS ASP Alternate Data Streams (red)
873 IIS ASP Sample Site advsearch.asp DoS (red)
875 IIS ASP Sample Site query.asp DoS (red)
874 IIS ASP Sample Site search.asp DoS (red)
1129 IIS Authentication Method Disclosure (orange)
1105 IIS bdir.htr Directory Listing (red)
869 IIS catalog_type ASP Sample Page (red)
1132 IIS Chunked Encoding Heap Overflow  (red)
853 IIS Code.asp File Access (red)
854 IIS CodeBrws.asp File Access (red)
1121 IIS CodeRed / Index Server idq.dll Buffer Overflow (red)
1133 IIS COM Extension Request (orange)
1114 IIS cpshost.dll File Upload (red)
940 IIS Cross-Site Scripting (red)
1107 IIS ctguestb.idc Remote Command Execution (red)
1106 IIS details.idc Remote Command Execution (red)
923 IIS Directory Traversal (red)
924 IIS Directory Traversal and Code Execution (red)
1120 IIS Double Hex Encoding Directory Traversal (red)
1225 IIS Envelope - File Access by IIS Process (disabled)
1205 IIS Envelope - File Access by IIS Web User (disabled)
1207 IIS Envelope - File Execution by IIS Process (orange)
1224 IIS Envelope - File Execution by IIS Web User (orange)
1226 IIS Envelope - File Modification by IIS Process (orange)
1223 IIS Envelope - File Modification by IIS Web User (orange)
1210 IIS Envelope - Registry Mod. by IIS Process (orange)
1229 IIS Envelope - Registry Mod. by IIS Web User (orange)
1208 IIS Envelope - Service Mod. by IIS Process (orange)
1227 IIS Envelope - Service Mod. by IIS Web User (orange)
1209 IIS Envelope - User Account Mod. by IIS Process (disabled)
1228 IIS Envelope - User Account Mod. by IIS Web User (disabled)
937 IIS Executable File Parsing (red)
1117 IIS FrontPage .pwd File Permissions (red)
1116 IIS FrontPage Admin Access (orange)
1123 IIS FrontPage dvwssr.dll Buffer Overflow (red)
1110 IIS FrontPage Extensions shtml.exe Device DoS (red)
1122 IIS FrontPage fp30reg.dll Buffer Overflow (red)
877 IIS FrontPage htimage.exe DoS (red)
866 IIS FrontPage imagemap.exe DoS (red)
943 IIS FrontPage shtml.dll Cross-Site Scripting (red)
604 IIS Hack Buffer Overflow (red)
922 IIS Idq.dll Directory Traversal (red)
936 IIS IISHack 1.5 (IIS ASP $19.95 hack) (red)
857 IIS Illegal DSN File Creation (red)
1222 IIS Illegal Request Method (disabled)
1126 IIS Index Server File and Path Disclosure (red)
1219 IIS Index Server File Ext. Request (orange)
1104 IIS Index Server Sample Site queryhit.htm (red)
855 IIS Index Server Webhits Source Disclosure (red)
1109 IIS Indexed Directory Disclosure (red)
1125 IIS In-process Privilege Escalation (orange)
1119 IIS IPP .printer Buffer Overflow (red)
1102 IIS ism.dll Remote Administration Access (red)
862 IIS Jet Database Command Execution (orange)
935 IIS JsBrwPop.asp Source Disclosure (red)
856 IIS Malformed Extension Data DoS (disabled)
842 IIS MDAC/RDS Exploit (disabled)
872 IIS MiniVend view_page.html Sample Page (red)
1128 IIS Newline/Carriage Return Characters (orange)
1101 IIS Password Change (red)
939 IIS Perl Command Execution (red)
938 IIS Phone Book Service Buffer Overflow (red)
1124 IIS Remote Command Execution (red)
1130 IIS Samples Script Request (orange)
356 IIS Shielding - CGI Script Security Context Mod. (disabled)
1230 IIS Shielding - Conf. File Activ. (yellow)
1221 IIS Shielding - Conf. File Activ. (ADMCOMConnect) (yellow)
367 IIS Shielding - EnablePortAttack RegKey Mod. (disabled)
1200 IIS Shielding - File Access (disabled)
1256 IIS Shielding - File Execution (yellow)
1201 IIS Shielding - File Modification (yellow)
1206 IIS Shielding - File Modification in System Folder (yellow)
1240 IIS Shielding - FTP File Access (disabled)
1254 IIS Shielding - FTP File Creation (yellow)
1253 IIS Shielding - FTP File Execution (yellow)
1241 IIS Shielding - FTP File Modification (yellow)
1251 IIS Shielding - FTP Log File Access (yellow)
1250 IIS Shielding - FTP Log File Modification (yellow)
1247 IIS Shielding - FTP User Account Modification (disabled)
1212 IIS Shielding - Log File Access (yellow)
1211 IIS Shielding - Log Files Modification (yellow)
459 IIS Shielding - NewDSN Data Source Creation (disabled)
1204 IIS Shielding - Registry Modification (yellow)
357 IIS Shielding - Remote ODBC RegKey Creation (disabled)
1202 IIS Shielding - Service Modification (yellow)
1203 IIS Shielding - User Account Modification (disabled)
858 IIS Showcode.asp Illegal File Access (red)
860 IIS ShowFile.asp Illegal File Access (red)
1103 IIS Site Server AdSamples site.csc Information Leak (red)
1100 IIS Site Server ViewCode.asp File Access (red)
1218 IIS SSI File Extension Request (orange)
880 IIS Sun Java HotSpot DoS (red)
1108 IIS Translate: f Source Disclosure (red)
1131 IIS Unicode in Filename (disabled)
1136 IIS WebDAV Buffer Overflow (red)
1113 IIS WebDAV Propfind Request DoS (red)
1112 IIS WebDAV Search Request DoS (red)
1260 IIS6 Envelope - File Access by IIS Process (disabled)
1261 IIS6 Envelope - File Access by IIS Web User (disabled)
1262 IIS6 Envelope - File Execution by IIS Process (orange)
1263 IIS6 Envelope - File Execution by IIS Web User (orange)
1264 IIS6 Envelope - File Modification by IIS Process (orange)
1265 IIS6 Envelope - File Modification by IIS Web User (orange)
1266 IIS6 Envelope - Registry Mod. by IIS Process (orange)
1267 IIS6 Envelope - Registry Mod. by IIS Web User (orange)
1268 IIS6 Envelope - Service Mod. by IIS Process (orange)
1269 IIS6 Envelope - Service Mod. by IIS Web User (orange)
1286 IIS6 Shielding - Conf. File Activ. (yellow)
1287 IIS6 Shielding - Conf. File Activ. (ADMCOMConnect) (yellow)
1280 IIS6 Shielding - File Access (disabled)
1281 IIS6 Shielding - File Execution (yellow)
1282 IIS6 Shielding - File Modification (yellow)
1283 IIS6 Shielding - File Modification in System Folder (yellow)
1284 IIS6 Shielding - Log File Access (yellow)
1285 IIS6 Shielding - Log Files Modification (yellow)
1288 IIS6 Shielding - Registry Modification (yellow)
1289 IIS6 Shielding - Service Modification (yellow)
2400 IIS6 Web Admin Cross-Site Scripting Attack (red)
985 Illegal Execution (disabled)
957 Indirect Registry Modification (disabled)
447 Insert Menu DoS Exploit (disabled)
2300 Internet Explorer Hardening Disabled (orange)
974 IP Address Changed (disabled)
343 List of Logon Processes Modified (disabled)
342 List of Trusted System Processes Modified (yellow)
460 Local Group Creation (disabled)
371 Local IP Routing Enabled (disabled)
340 Local Machine RegKey Permissions Modification (disabled)
1354 Locator Service Buffer Overflow (red)
971 LPC Privilege Escalation (disabled)
103 LSA Registry Key Modification (disabled)
104 LSA Registry Value Modification (disabled)
336 LSA RegKey Permissions Modification (disabled)
969 Machine Shutdown (disabled)
105 Memory Management Registry Key Modification (disabled)
106 Memory Management Registry Value Modification (disabled)
1151 Message Queue Service Buffer Overflow (red)
1140 Messenger Service Buffer Overflow (red)
920 Microsoft Installer Registry Key Modified (orange)
906 Microsoft Registry Keys Modification (disabled)
718 Minimum Password Age Policy Modification (disabled)
716 Minimum Password Length Policy Modification (disabled)
952 MS-CHAPv2 Authentication Protocol Settings Changed (disabled)
959 Msgina Registry Key Modified (red)
960 Msgina.dll File Modified (orange)
530 MSSQL Aux. Envelope - File Access by MSSQL (disabled)
532 MSSQL Aux. Envelope - File Execution by MSSQL (orange)
531 MSSQL Aux. Envelope - File Modification by MSSQL (orange)
533 MSSQL Aux. Envelope - Registry Mod. by MSSQL (orange)
534 MSSQL Aux. Envelope - Service Mod. by MSSQL (orange)
536 MSSQL Aux. Envelope - User Account Mod. by MSSQL (disabled)
510 MSSQL Aux. Shielding - File Access (disabled)
512 MSSQL Aux. Shielding - File Execution (yellow)
511 MSSQL Aux. Shielding - File Modification (yellow)
513 MSSQL Aux. Shielding - Registry Modification (yellow)
514 MSSQL Aux. Shielding - Service Modification (disabled)
515 MSSQL Aux. Shielding - Service Reg. Modification  (yellow)
519 MSSQL Aux. Shielding - Service Started (disabled)
516 MSSQL Aux. Shielding - User Account Modification (disabled)
542 MSSQL Blank Password Logon (red)
520 MSSQL Core Envelope - File Access by MSSQL (disabled)
522 MSSQL Core Envelope - File Execution by MSSQL (orange)
521 MSSQL Core Envelope - File Modification by MSSQL (orange)
523 MSSQL Core Envelope - Registry Mod. by MSSQL (orange)
524 MSSQL Core Envelope - Service Mod. by MSSQL (orange)
526 MSSQL Core Envelope - User Mod. by MSSQL (disabled)
500 MSSQL Core Shielding - File Access  (disabled)
502 MSSQL Core Shielding - File Execution (yellow)
501 MSSQL Core Shielding - File Modification (yellow)
507 MSSQL Core Shielding - Log File Access (yellow)
508 MSSQL Core Shielding - Log File Modification (yellow)
503 MSSQL Core Shielding - Registry Modification (yellow)
504 MSSQL Core Shielding - Service Modification (yellow)
505 MSSQL Core Shielding - Service Reg. Modification  (yellow)
599 MSSQL Core Shielding - Use of Administrative Tools (yellow)
506 MSSQL Core Shielding - User Account Modification (disabled)
550 MSSQL Distributed Query (red)
598 MSSQL DTS Packages Privilege Escalation (red)
592 MSSQL formatmessage Execution (disabled)
557 MSSQL Job Scheduling (red)
591 MSSQL raiserror Execution (disabled)
590 MSSQL Server Configuration Manipulation (red)
541 MSSQL Server Installation File Vulnerability (red)
596 MSSQL sp_addsrvrolemember Privilege Escalation (red)
559 MSSQL sp_attachsubscription Privilege Escalation (red)
558 MSSQL sp_MScopyscriptfile Privilege Escalation (red)
597 MSSQL sp_msdropretry Privilege Escalation (red)
601 MSSQL sp_MSget_publisher_rpc Privilege Escalation (red)
595 MSSQL sp_set_sqlagent_properties Privilege Escalation (red)
555 MSSQL SQL Injection With Audit Evasion (red)
554 MSSQL SQL Injection With Batch Commands (disabled)
553 MSSQL SQL Injection With BULK INSERT (red)
551 MSSQL SQL Injection With Comments (red)
552 MSSQL SQL Injection With DELAY (red)
556 MSSQL SQL Shutdown (red)
540 MSSQL Stored Procedure Buffer Overflow (red)
594 MSSQL Web Task Abuse (red)
602 MSSQL xp_fileexist Privilege Escalation (red)
593 MSSQL xp_sprintf Execution (disabled)
830 Netbus TCP/IP Port Activity (disabled)
829 NetBus Trojan Activation (red)
828 NetBus Trojan Installation (orange)
882 Netcat Activation (red)
384 NETMON Network Agent Activation (disabled)
385 NETMON Network Agent Startup Mode Modification (disabled)
933 Network DoS Protection Settings Modified (red)
990 New Startup Folder Program Creation (yellow)
344 New Startup Program Creation (yellow)
984 Nimda Worm Installation or Activation (red)
1138 Nimda Worm Installation or Activation (riched20.dll) (disabled)
349 Non-interactive CD-ROM Access Enabled (disabled)
347 Non-interactive Floppy Access Enabled (disabled)
348 Notification Packages Modification (yellow)
843 NT4All Privilege Escalation (red)
1137 Ntdll.dll Buffer Overflow (red)
949 Null Session Access Enabled (disabled)
950 Null Session Access to Named Pipes Modified (disabled)
951 Null Session Access to Shares Modified (disabled)
352 Null User Sessions Enabled (disabled)
980 ODBC.ini File Modification (disabled)
440 OLE RegKey Permissions Modification (disabled)
436 OS/2 Subsystem Pointer Modified (disabled)
438 Pagefile Clearing Disabled (disabled)
712 Password Change Disabled (disabled)
713 Password Expiration Disabled (disabled)
719 Password Uniqueness Policy Modification (disabled)
333 Perf Monitor Data Access Permissions Modified (disabled)
895 Phone Dialer Buffer Overflow (red)
437 POSIX Subsystem Pointer Modified (disabled)
837 Print Provider Modification (disabled)
832 Print Spooler Buffer Overflow (red)
445 ProfileImagePath RegKey Modification (disabled)
416 ProfileList RegKey Permissions Modification (disabled)
907 PWDump Tool Activation (red)
893 RAS PhoneBook Buffer Overflow (red)
894 RAS PhoneBook File Modification (disabled)
849 RASMAN Pathname Modification (disabled)
909 Rdisk Temp File Access (disabled)
345 Registry Access Limitations Lifted (disabled)
332 Registry Access Permissions Modified (disabled)
439 Registry Program Key Permissions Modification (disabled)
976 Remote Access Service Deleted (disabled)
975 Remote Access Service Registry Key Modified (disabled)
977 Remote Access Service Started (disabled)
374 Remote Command Service Activation (disabled)
375 Remote Command Service Startup Mode Modification (disabled)
433 Remote Shell Service Activated (red)
399 Remote Shell Service Installation (disabled)
835 Repair Directory Access (disabled)
946 Required SMB Message Signing Disabled on Client (disabled)
945 Required SMB Message Signing Disabled on Server (disabled)
833 RFPoison Denial Of Service (disabled)
989 RunAs Service Deactivated (red)
988 RunAs Service Startup Mode Modification (red)
836 SAM Config File Access (disabled)
834 SAM Permissions Modification (red)
905 Scheduler Service Activation (disabled)
405 Scheduler Service RegKey Permissions Modification (disabled)
904 Scheduler Service Startup Mode Modification (disabled)
884 Screen Saver BeAdmin Exploit (disabled)
885 Screen Saver logon.scr (red)
420 Sechole Privilege Escalation (disabled)
456 Secrets RegKey Permissions Modification (disabled)
114 Security Event Log Shutdown Setting Modified (disabled)
846 Server Operator Privilege Escalation (red)
999 Service Created (disabled)
392 Service Started (disabled)
393 Service Stopped (disabled)
350 Shutdown without Logon Enabled (disabled)
948 SMB Message Signing Disabled on Client (disabled)
947 SMB Message Signing Disabled on Server (disabled)
992 SMSS Process Handle Privilege Elevation (red)
962 SNMP Authentication Traps Disabled (disabled)
963 SNMP Authentication Traps Enabled (disabled)
968 SNMP Registry Key Permissions Modification (disabled)
372 SNMP Service Activation (disabled)
373 SNMP Service Startup Mode Modification (disabled)
966 SNMP World-Writable Communities (disabled)
965 SNMP World-Writable Extension Agents (disabled)
967 SNMP World-Writable Permitted Managers (disabled)
964 SNMP World-Writable Trap Configuration (disabled)
123 Source Path Setting Modified (disabled)
838 Spoolhack.dll File Creation (disabled)
900 Startup Password Stored in Registry (disabled)
901 Startup Userid Stored in Registry (disabled)
918 Strong Password Enforcement Disabled (yellow)
919 Strong Password Enforcer Modified (orange)
1135 Successful Logon (Windows) (disabled)
415 Suspicious File Extension Execution (disabled)
1139 svchost Buffer Overflow (RPC DCOM) (red)
993 System Drive Executable Modification (orange)
132 System Executable Creation or Deletion (yellow)
131 System Executable Writing (yellow)
814 System File Modification (disabled)
978 System File Modification in Root Drive (orange)
986 Task Manager Process Termination Vulnerability (disabled)
795 TCP/IP Port 19 Activity (Chargen) (disabled)
749 TCP/IP Port 21 Activity (FTP) (disabled)
799 TCP/IP Port 25 Activity (SMTP) (disabled)
736 TCP/IP Port 80 Activity (HTTP) (disabled)
973 TCP/IP Registry Keys Modified (disabled)
831 TCP/IP Suspicious Port Activity (disabled)
845 Trojaned Default Executables (red)
982 Trojaned System File Execution (red)
797 Unattended Installation File Illegal Access (disabled)
910 Uninstall Registry Key Modification (yellow)
996 User Account Created (disabled)
998 User Account Deleted (disabled)
706 User Account Disabled or Enabled (disabled)
709 User Account Lockout Enabled or Disabled (disabled)
997 User Account Renamed (disabled)
991 User Added to Administrator Group (disabled)
370 ValidCommunities RegKey Permissions Modification (disabled)
752 Windows Explorer CLSID File Execution (disabled)
121 Windows File Protection Activity (disabled)
122 Windows File Protection Cache or Catalog Modified (disabled)
983 Windows File Protection RegKey Modified (yellow)
841 Winhlp32 Buffer Overflow (red)
101 Winlogon Registry Key Modification (disabled)
102 Winlogon Registry Value Modification (disabled)
339 Winlogon RegKey Permissions Modification (disabled)
928 WinVNC Activation (orange)
927 WinVNC Installation (red)
902 Wordpad DCOM Server RegKey Modification (disabled)
840 Wordpad Help File Modification (disabled)

SOLARIS

1331 /bin/login Buffer Overflow (red)
1342 /proc/[pid]/sigact data leakage (disabled)
1308 admintool Buffer Overflow (red)
1017 Agent Mode Remotely Changed to  Protection  (disabled)
1016 Agent Mode Remotely Changed to  Warning  (disabled)
1014 Agent Remote Control Enabled or Disabled (disabled)
1502 Apache Artificially Long Slash Path (red)
1504 Apache Chunked-Encoding Memory Corruption (red)
1505 Apache Cross-Site Scripting (red)
1416 Apache Envelope - File Access (orange)
1419 Apache Envelope - File Access by CGI (orange)
1417 Apache Envelope - File Modification (orange)
1420 Apache Envelope - File Modification by CGI (orange)
1501 Apache Illegal Request Method (disabled)
1407 Apache Shielding - CGI File Access (disabled)
1408 Apache Shielding - CGI File Modification (yellow)
1413 Apache Shielding - Configuration File Access (disabled)
1414 Apache Shielding - Configuration File Modification (yellow)
1404 Apache Shielding - Docs File Access (disabled)
1405 Apache Shielding - Docs File Modification (yellow)
1410 Apache Shielding - Log File Access (disabled)
1411 Apache Shielding - Log File Modification (yellow)
1401 Apache Shielding - Server File Access (disabled)
1402 Apache Shielding - Server File Modification (yellow)
1500 Apache SSI File Extension Request (disabled)
1503 Apache test-cgi Directory Listing (red)
1313 arp Buffer Overflow (red)
26 aspppd Insecure File Link (orange)
1318 at Buffer Overflow (red)
1359 at Command Arbitrary File Deletion (red)
1733 Audit System File Attribute Modification (disabled)
1732 Audit System File Creation or Deletion (disabled)
1731 Audit System File Modification (disabled)
1700 Binary File Modification (yellow)
1336 cachefsd mount file and remote buffer overflow (red)
391 Cancel Buffer Overflow (red)
260 CDE dtaction Buffer Overflow (red)
1300 CDE dtmail Buffer Overflow (red)
1301 CDE dtmailpr -f Buffer Overflow (red)
600 CDE dtprintinfo Buffer Overflow (red)
1328 CDE dtspcd Buffer Overflow (red)
1323 CDE dtspcd Symlink Vulnerability (disabled)
1330 CDE mailtool Buffer Overflow (red)
287 CDE sdtcm_convert Buffer Overflow (red)
29 chkperm Buffer Overflow (red)
1329 Core Dump Access or Modification (disabled)
1715 Cron File Attribute Modification (disabled)
1714 Cron File Creation or Deletion (disabled)
1713 Cron File Modification (disabled)
1311 cu Buffer Overflow (red)
1739 Device File Attribute Modification (disabled)
1738 Device File Creation or Deletion (disabled)
1730 DNS File Attribute Modification (disabled)
1729 DNS File Creation or Deletion (disabled)
1728 DNS File Modification (disabled)
34 dtappgather dtusersession File Access (orange)
33 dtappgather Symlink File Permissions (orange)
1357 dtsession Buffer Overflow (red)
1021 Entercept Agent Shielding -  File Access (disabled)
1008 Entercept Agent Shielding -  File Modification (red)
1009 Entercept Agent Shielding -  Module Access (red)
1312 exrecover Buffer Overflow (red)
1325 Failed Logon Attempt (Solaris) (disabled)
1361 ff.core Buffer Overflow (red)
327 ff.core Rename Command (red)
1721 FTP File Attribute Modification (disabled)
1720 FTP File Creation or Deletion (disabled)
1719 FTP File Modification (disabled)
1340 ftpd glob() Expansion LIST Heap Overflow (red)
388 General Buffer Overflow (red)
389 General Buffer Overflow using rlibc (red)
1315 gettext()/locale Format String Exploit (disabled)
242 Illegal IFS Variable (disabled)
1558 iPlanet Chunked-Encoding Memory Corruption (red)
1560 iPlanet Cross-Site Scripting (red)
1610 iPlanet Envelope - File Access (orange)
1613 iPlanet Envelope - File Access by CGI (orange)
1611 iPlanet Envelope - File Modification (orange)
1614 iPlanet Envelope - File Modification by CGI (orange)
1551 iPlanet Illegal Request Method (disabled)
1559 iPlanet importInfo Arbitrary Command Execution (red)
1607 iPlanet Shielding - CGI File Access (disabled)
1608 iPlanet Shielding - CGI File Modification (yellow)
1604 iPlanet Shielding - Docs File Access (disabled)
1605 iPlanet Shielding - Docs File Modification (yellow)
1600 iPlanet Shielding - Server Admin Operation (disabled)
1601 iPlanet Shielding - Server File Access (disabled)
1602 iPlanet Shielding - Server File Modification (yellow)
1550 iPlanet SSI File Extension Request (disabled)
1561 iPlanet TRACE Method Request (red)
1557 iPlanet Web Server Search Cgi Buffer Overflow (red)
1345 KCMS Library Daemon Arbitrary File Retrieval (red)
1362 kcms_calibrate Buffer Overflow (red)
269 kcms_configure Buffer Overflow (red)
1703 Kernel File Modification (yellow)
1335 lbxproxy display name buffer overflow (red)
1321 libsldap Buffer Overflow (red)
237 Link to Critical System File Created (orange)
32 Link to dev (yellow)
1338 lpd Remote Command Execution (red)
1355 lpq Stack Buffer Overflow (red)
1 lpset Buffer Overflow (red)
323 lpstat Buffer Overflow (red)
1306 mail -m Buffer Overflow (red)
1324 mailx Buffer Overflow -F Argument (red)
1363 mkcookie Buffer Overflow (red)
1303 netpr -p Buffer Overflow (red)
1555 Netscape Enterpise Server JHTML View Source (red)
1552 Netscape Enterprise Server 3.6 Directory Index (red)
1553 Netscape Enterprise Server Index Disclosure (red)
1554 Netscape Enterprise Server Web Publishing (red)
1718 Network / System Conf. File Attribute Modification (disabled)
1717 Network / System Conf. File Creation or Deletion (disabled)
1716 Network / System Conf. File Modification (disabled)
1356 NewTask Local Privilege Elevation (red)
1736 NFS File Attribute Modification (disabled)
1735 NFS File Creation or Deletion (disabled)
1734 NFS File Modification (disabled)
1701 Password File Modification (red)
1351 PCMCIAD File Corruption (red)
59 ping hname Buffer Overflow (red)
1334 Predictable tmpfiles When Using "here" Documents (disabled)
1349 priocntl() Local Root Vulnerability (red)
39 Program Execution with Binary Arguments (yellow)
67 rdist Buffer Overflow (red)
1343 RPC xdr_array Buffer Overflow Vulnerability (red)
325 rpc.cmsd Buffer Overflow (red)
283 rpc.nisd Buffer Overflow (red)
1322 rpc.yppasswdd Buffer Overflow (red)
1358 rpcbind Buffer Overflow (red)
285 rpcbind File Overwrite (disabled)
1337 rwall Daemon Syslog Format String (red)
1319 sadmind buffer overflow (red)
1326 sendmail Buffer Overflow (red)
1339 sendmail File Locking Denial Of Service (disabled)
1706 SGID File Creation (yellow)
1707 SGID File Modification (yellow)
1743 Shared Library Attribute Modification (disabled)
1742 Shared Library Creation or Deletion (disabled)
1741 Shared Library Modification (disabled)
1332 snmpdx Buffer Overflow (red)
1320 snmpXdmid Buffer Overflow (red)
1364 Solaris sadmind Local or Remote Command Execution (red)
1727 Startup File Attribute Modification (yellow)
1726 Startup File Creation or Deletion (yellow)
1725 Startup File Modification (yellow)
1348 Successful  Logon (Solaris) (disabled)
1704 SUID File Creation (yellow)
1705 SUID File Modification (yellow)
1724 Syslog File Attribute Modification (disabled)
1723 Syslog File Creation or Deletion (disabled)
1722 Syslog File Modification (disabled)
1327 toolTalk Database Format String / Buffer Overflow (red)
1341 toolTalk Database Symbolic Link  (red)
82 ufsdump Buffer Overflow (red)
83 ufsrestore Buffer Overflow (red)
1712 User/Group Administration File Attribute Modif. (disabled)
1353 utmp_update Buffer Overflow (red)
1352 uucp Buffer Overflow (red)
1346 vold Buffer Overflow (red)
84 volrmmount Buffer Overflow (red)
1347 WBEM Insecure Permissions (red)
400 write Buffer Overflow (red)
1350 X Font Server Remote Buffer Overrun (red)
1316 ximp Buffer Overflow (red)
291 xlock Buffer Overflow (red)
1360 Xprt Buffer Overflow (red)
1305 xsun Buffer Overflow (red)
1333 ypbind Buffer Overflow (red)
1344 ypxfrd directory traversal and file disclosure (red)

HP-UX

2034 HP-UX .rhosts File Attribute Modification (disabled)
2035 HP-UX .rhosts File Creation or Deletion (disabled)
2036 HP-UX .rhosts File Modification (disabled)
2037 HP-UX /.forward File Attribute Modification (disabled)
2038 HP-UX /.forward File Creation or Deletion (disabled)
2039 HP-UX /.forward File Modification (disabled)
2128 HP-UX /bin/login Buffer Overflow (red)
2016 HP-UX /etc/rc.config Protection (disabled)
2024 HP-UX /etc/skel Script Attribute Modification (disabled)
2025 HP-UX /etc/skel Script Creation or Deletion (disabled)
2026 HP-UX /etc/skel Script Modification (disabled)
2008 HP-UX /sbin/rc Protection (disabled)
2009 HP-UX /sbin/rc.utils Protection (disabled)
2143 HP-UX /usr/bin/ipcs Buffer Overflow (red)
2110 HP-UX /usr/bin/pppd buffer overflow (red)
2142 HP-UX /usr/bin/rexec Buffer Overflow (red)
2138 HP-UX /usr/bin/stmkfont Buffer Overflow (red)
2141 HP-UX /usr/lbin/rwrite Buffer Overflow (red)
2140 HP-UX /usr/sbin/wall Buffer Overflow (red)
2028 HP-UX Allowed Shells Config. Attribute Mod. (disabled)
2029 HP-UX Allowed Shells Config. Creation or Deletion (disabled)
2030 HP-UX Allowed Shells Config. Modification (disabled)
2031 HP-UX Audit Configuration Attribute Modification (disabled)
2032 HP-UX Audit Configuration Creation or Deletion (disabled)
2033 HP-UX Audit Configuration Modification (disabled)
2118 HP-UX auto_parms Arbitrary Command Execution (red)
2006 HP-UX Auxiliary Binary Protection (red)
2131 HP-UX bdf/df Buffer Overflow (red)
2005 HP-UX CDE Binary Protection (red)
2126 HP-UX CDE dtspcd Buffer Overflow (red)
2116 HP-UX CDE dtterm Terminal Name Buffer Overflow (red)
2045 HP-UX Cron Daemon Protection (disabled)
2114 HP-UX crontab /tmp File (red)
2119 HP-UX cu Buffer Overflow (red)
2007 HP-UX Device File Creation or Deletion (disabled)
2136 HP-UX disable Buffer Overflow (red)
2130 HP-UX dtappgather DTUSERSESSION File Access (red)
2134 HP-UX dtsession Buffer Overflow  (red)
1022 HP-UX Entercept Agent Shielding - File Access (disabled)
1018 HP-UX Entercept Agent Shielding - File Modification (red)
1019 HP-UX Entercept Agent Shielding - Module Access (red)
2050 HP-UX Failed Logon Attempt (disabled)
2044 HP-UX ftpd Configuration File Protection (disabled)
2111 HP-UX ftpd Format String/Buffer Overflow (red)
2101 HP-UX General Buffer Overflow (red)
2017 HP-UX Initialization Configuration Protection (disabled)
2018 HP-UX Initialization Script Attribute Modification (red)
2019 HP-UX Initialization Script Creation or Deletion (red)
2020 HP-UX Initialization Script Modification (red)
2121 HP-UX kermit Buffer Overflow (red)
2120 HP-UX kmmodreg Symlink Attack (red)
2137 HP-UX landiag & lanadmin Buffer Overflow (red)
2123 HP-UX Line Printer Daemon Buffer Overflow  (red)
2124 HP-UX man /tmp Symlink Attack (disabled)
2115 HP-UX net.init RC Script (red)
2002 HP-UX Non Native Binary Attribute Modification (disabled)
2003 HP-UX Non Native Binary Creation or Deletion (disabled)
2004 HP-UX Non Native Binary Modification (disabled)
2001 HP-UX OS Binary Protection (red)
2021 HP-UX PAM Configuration Protection (red)
2027 HP-UX PAM Shared Library Protection (red)
2022 HP-UX PAM User Configuration Protection (red)
2042 HP-UX Password File Protection (disabled)
2043 HP-UX Password File Symlink Attack (disabled)
2102 HP-UX Program Execution with Binary Arguments (red)
2125 HP-UX rlpdaemon Arbitrary Log File Creation (red)
2139 HP-UX rpc.yppasswdd Buffer Overflow  (red)
2135 HP-UX rpcbind Buffer Overflow (red)
2133 HP-UX sendmail Buffer Overflow (red)
2048 HP-UX SGID File Creation (disabled)
2049 HP-UX SGID File Modification (disabled)
2113 HP-UX Shutdown Buffer Overflow (red)
2127 HP-UX SNMP Daemon Buffer Overflow (red)
2112 HP-UX SNMPD File Permission (red)
2010 HP-UX Startup Script Attribute Modification (red)
2013 HP-UX Startup Script Config. Attribute Mod. (red)
2014 HP-UX Startup Script Config. Creation or Deletion (red)
2015 HP-UX Startup Script Config. Modification (red)
2011 HP-UX Startup Script Creation or Deletion (red)
2012 HP-UX Startup Script Modification (red)
2117 HP-UX stm Race Condition (red)
2051 HP-UX Successful Logon (disabled)
2046 HP-UX SUID File Creation (disabled)
2047 HP-UX SUID File Modification (disabled)
2122 HP-UX swverify Buffer Overflow (red)
2023 HP-UX Syslog Daemon Configuration Protection (red)
2129 HP-UX ToolTalk Format String / Buffer Overflow (red)
2040 HP-UX Trusted Password Database Protection (disabled)
2041 HP-UX Trusted Password Database Symlink Attack (disabled)
2132 HP-UX X Font Server Remote Buffer Overrun (red)
 
