NIS Signature: Why Some Signatures Are Disabled By Default?

Microsoft explained the reason behind disabling 4 signatures in the NIS Signature set released last month (8.32):Plcy:Win/Sharepoint.SafeHTML1.XSS!2010-3243Plcy:Win/Sharepoint.SafeHTML2.XSS!2010-3243Plcy:Win/HTTP.SafeHTML1.XSS!2010-3324Plcy:Win/HTTP.SafeHTML2.XSS!2010-3324There're three different NIS signature types:Vulnerability-based signatures will detect most variants of exploits against a given vulnerability.Exploit-based signatures will detect a specific exploit of a given vulnerability.Policy-based signatures are generally used for auditing purposes and are developed when neither […]

Microsoft explained the reason behind disabling 4 signatures in the NIS Signature set released last month (8.32):

There're three different NIS signature types:

  1. Vulnerability-based signatures will detect most variants of exploits against a given vulnerability.
  2. Exploit-based signatures will detect a specific exploit of a given vulnerability.
  3. Policy-based signatures are generally used for auditing purposes and are developed when neither vulnerability nor an exploit-based signature can be written.

"Whenever possible, we write vulnerability based or exploit based signatures. These're accurate signatures which've a very low rate of false positives or false negatives.

However, in some cases we aren't able to write a vulnerability/exploit signature so we write a policy based signature. These're less accurate and can cause some false alarms so it's up to the admin to make a conscious decision to enable them despite the risk of false positives.

This's why we make policy based signatures available in a "disabled by default" mode," explains Microsoft.

[Source]