Endpoint Protection

I'm not a programmer and don't know what the internal application is attempting to do at this point but need some general guidance.  In the last week we started receiving floods of IPS event emails for various IPS detections (generally those below, but there are others).

[SID: 27921] OS Attack: GNU Bash CVE-2014-6278 attack blocked

[SID: 27907] OS Attack: GNU Bash CVE-2014-6271 attack blocked

The IP addresses for both sides of the detection are ours, and there are definitely application processes of ours running that are causing this.  It is an inbound process from a server in our DMZ to a server on the internal network.  The specific executable responsible is listed in the Symantec event email but there still seems to be no way to exclude an executable or the file hash for that executable from IPS dectection, only exclusion for all IPS events on the host(s) or manually selecting the vulnerability from the list of 4,000+ to be excluded.  In the end, there is no safe way to exclude a known program, only known hosts or the vulnerability - neither of which is truly desirable since the potential for a malicious application to get installed on the excluded host(s) exists or you just forego detection of that vulnerability.

Before I talk to the programmers of the application causing the events, I would like to know if these IPS detections are an indication that the program is poorly written or if is is possible that it is written properly and simply triggers the events?  Basically, is it more common that these are caused by crap code or that Symantec is overzealous but leaves us no choice other than excluding the hosts?

The programmers use Delphi for most of their applications and there seems to be a real issue with Symantec detecting many of the apps as malicious via heuristic detection - which is another problem for another day.  They get irrationally upset when their applications are quarantined and accuse us of breaking their stuff all the time.  I'm getting pretty tired of it, really.

Any help, input, or advice is greatly appreciated!

I believe these are related to the 'Shellshock' vulnerability from a few years back. I guess the first question I have is the server fully ptached?

Though I didn't think to mention it in my original post - yes, all our servers are fully patched an up to date.  We use Nessus (as I've seen you do in your environment as well by a previous post of yours), to scan for and patch vulnerabilities.

In case it wasn't clear, all the servers in the above scenario are ours and these are false positives in the sense that the applications and servers involved are safe and without known vulnerabilities.

Also - Symantec, you're the "leader" in next-generation cyper security but you're seriously going to make us scroll through a list of 4,867 Intrusion Preventions Signatures in order to add exceptions?  Where is the search field!?!?!?!?

I would swear Symantec has never used their own product, or they would know this and fix it already.

But in this particular case it wasn't caused by a Nessus scan?

It was 100% not caused by a Nessus vulnerability scan - it was the normal in-house application behavior.

When Nessus scans are performed, they always come from a particular IP address as the Remote Host.  In these cases, the Remote Host IP address is our own server in our DMZ communicating with it's counterpart server on the internal network - and only these two servers.  We are not getting these alerts for one DMZ server "attacking" a number of servers on the internal network.