This is a signature that detects a "CA BrightStor ARCserve Backup Listservcntrl ActiveX Overflow".
As I understand it, this is a meta signature that fires when 6794/1 and 5477 both trigger. Alerts have showed up a couple times today, but the packet data in MARS associated with them do not appear to match correctly with the component signatures.
For example, 6794/1 looks like it tries to match a regex for this key: BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3
However, in the packet data, this does not occur anywhere. So I'm unsure if there is packet data that I cannot see (but I should be able to see!), or if it is firing incorrectly, or perhaps I just don't understand something!
Thanks for any help!
Sure.... You can disregard these alerts for now or modify 6794-0 and set the all components required to *true* or disabled 6794-0 until s405 release, then re-anable.
Whats happening, is with the all components required set to false, when either 6794-1 or 5477-2 fire, 6794-0 will fire.