My Synology RT6600ax router with Threat Prevention is blocking a couple of things when the Windows 10 update 21H2 is trying to be applied. What it sees coming into the PC is:
ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow
drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:4346292; rev:1; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
and:
ET POLICY ZIP file download
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, <=, 0x14, 0, string, hex; content:"|00 00 00|"; distance: 0; reference:url,zziplib.sourceforge.net/zzip-parse.print.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000428; classtype:misc-activity; sid:4352392; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
and going out from PC is:
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:misc-activity; sid:4352590; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
I'm guessing that the Cab file is probably all right? Or has it actually been determined that it isn't just a Cab, but one with a buffer overflow exploit? Maybe "possible" means that it is just a Cab?
And I'm guessing that the Zip warning is again just happening because it is a zip and maybe Microsoft tried switching to a zip since the Cab didn't make it to the PC.
No idea what the USER_AGENTS one is about. Maybe it wouldn't happen if the other 2 weren't blocked?
Anybody have any ideas? (I know this is really a Synology issue and I've posted the same question over there, but I thought someone might have had similar issues with a different router or be familiar with these threats)