Recently our Sonicwall Firewall Appliance began flagging BOINC client communications with the following message:

03/01/2016 04:40:05 - 609 - Security Services - Alert - 208.68.240.119, 80, X1 - 10.10.1.100, 52637, X0 - IPS Prevention Alert: WEB-CLIENT Microsoft AntiXSS Information Disclosure (MS12-007), SID: 3357, Priority: Medium

This email was generated by: SonicOS Enhanced 5.9.0.4-127o (0017-C5C2-0B28)

Has there been a recent change to the client that has a vulnerability? Should I just allow the traffic? As far as I can see the BOINC client is still able to complete it's communication and I am still getting credit for jobs.


Looks like it does this when downloading from SETI@home
The file in question is: 11oc10ad.146832.18881.10.37.86

The file in question is: 11oc10ad.146832.18881.10.37.86

That's a data file from the Seti project, without which you cannot do any calculations. It contains no executable information, nor will it use the network or internet.

The BOINC client (boinc or boinc.exe) requires access to the internet over TCP ports 80 and 443. It further requires access to TCP port 31416 to BOINC Manager (boincmgr or boincmgr.exe) while it (BOINC Manager) requires the same port to communicate back to the client (boinc). If applicable when used.

BOINC Manager can make use of the network when it's used to command and control a client on another computer. This may use a different port number specified by the other client.

Science applications shouldn't make use of the internet or network.

IP address 208.68.240.119 is part of Berkeley, I believe it's the one of the two back-bone servers of the Berkeley campus through which data is routed to Seti@Home. So it's a normal server.

---

I simply added an exception rule in the Intrusion Prevention Service and after a retry, the file uploaded properly. If other users of Sonicwall Appliances have this false positive and file blockage, that is the solution. I hope this can help other users!