Microsoft explained the reason behind disabling 4 signatures in the NIS Signature set released last month (8.32):
There’re three different NIS signature types:
- Vulnerability-based signatures will detect most variants of exploits against a given vulnerability.
- Exploit-based signatures will detect a specific exploit of a given vulnerability.
- Policy-based signatures are generally used for auditing purposes and are developed when neither vulnerability nor an exploit-based signature can be written.
“Whenever possible, we write vulnerability based or exploit based signatures. These’re accurate signatures which’ve a very low rate of false positives or false negatives.
However, in some cases we aren’t able to write a vulnerability/exploit signature so we write a policy based signature. These’re less accurate and can cause some false alarms so it’s up to the admin to make a conscious decision to enable them despite the risk of false positives.
This’s why we make policy based signatures available in a “disabled by default” mode,” explains Microsoft.