F-Secure AV updates and Suricata IPS

My ISP recently started providing 3 F-Secure AV copies to each of their customers. I installed it but noticed that updates timed out.

It turned out that Suricata, which runs in IPS mode, blocked the update. There were 3 Emerging Threats rules that alerted:

[1:2003614:4] ET VIRUS WinUpack Modified PE Header Inbound [1:2009557:2] ET TROJAN Yoda’s Protector Packed Binary [1:2012086:2] ET SHELLCODE Possible Call with No Offset TCP Shellcode

It seems that F-Secure uses some form of packed binaries for their updates that is often used by malware.

To allow the updates to go through without disabling the rules altogether, we can use suppressions. All the alerts happened in streams talking to IP addresses in the 217.110.97.14x range. Whois lookup suggested that F-Secure has 217.110.97.128/25 available, so I decided to suppress the rules for that entire block.

To add the suppressions, I added the following lines to my threshold.conf:

# f-secure update matching suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25 suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25 suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25

After a Suricata restart, the updates now work fine. If you run Suricata in IDS mode you may still want to add the suppressions to reduce the number of alerts.