Have you guys seen this sig (Backdoor: Poison Ivy Traffic detected) fire and if so, was it a fp? We have seen this signature fire recently in our environment and we can't come to a conclusion if it is a fp or something legitimate. The signature seems to be firing on a packet size of 256 bytes and non standard traffic on http ports. Around the time this sig fires on hosts we have seen usually ad related traffic around that time frame. If anyone else has seen this fire can you please chime in on whether it was a legitimate threat or fp.
I haven't taken any cases on this signature for false positive analysis, but I would recommend following this KB article, and provifing the output to support:
Once we have it we'll submit it to the signature team for analysis to see if it was a correct detection or not. If you don't already have a case open, please file a web ticket or call into the support phone line to open one.
I would follow the suggestions given from the prior post. As my individual knowledge is limited to (Consumer). I might add that I would quite possibly utilize the Latest McAfee Stinger, as it generates and adds new Detections/Variants on a daily basis.
In addition here is a example from another Anti-Virus solution, in regards to the Detection mentioned here-in :Backdoor:W32/PoisonIvy
McAfee Community Moderator