cancel
Showing results for 
Search instead for 
Did you mean: 

How to resolve HTTP: Hidden or Invisible HTML IFrame Detected false positives?

Hello,

Our McAfee IPS's alert on thousands of "HTTP: Hidden or Invisible HTML IFrame Detected" false positives a day. I have checked some of the websites that users access and they are not infected with the js/fortnight@m trojan as the signature suggests should be. At first I thought it was our proxy modifying the website request and delivery in some way, but bypassing the proxy still triggers these alerts.

Has anyone had any experience similar with this signature and how did you deal with it?

Thanks in advance to those who provide assistance.

Message was edited by: foofightersecurity on 5/16/14 1:59:43 PM CDT
2 Replies
dt1
Level 7
Report Inappropriate Content
Message 2 of 3

Re: How to resolve HTTP: Hidden or Invisible HTML IFrame Detected false positives?

You bring up an issue in my opinion, the name of the signature is "Hidden or Invisible HTML iFrame" ... yet the description says:

"This alert indicates that the webpage the user visited was infected with "JS/Fortnight@M" trojan."

Two very different descriptions, why not tune the signature and call it something more specific to this trojan?  Secondly, a hidden or invisible iframe is not specific to this single threat.  iFrames can be safe, suspicious, or malicious, and, as you are experiencing, very common in enterprise web browsing.  The signature is alerting on an invisible iframe, thus, a low severity event.

In my environment, i've had to disable this alert to a high volume of events.  Another option is to auto acknowledge the alert, therefore the high volume does not appear in the RTTA, however the event is still detected and can be used in correlation or analysis at a later date. 

Highlighted

Re: How to resolve HTTP: Hidden or Invisible HTML IFrame Detected false positives?

Thanks dt1 for the input.

I agree the descriptions are an issue. That isn't the first signature description in McAfee IPS that are misleading. Although I knew I didn't have the JS/Fortnight@M trojan and there was other hidden IFrames content that was triggering the signature and I am still faced with thousands of alerts being triggered.

I like your second option the best as I do want to be able to analyze these further if required.

I was most interested in your admission that your environment generates a high volume of these alerts as well...I am not alone.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community