3 of 3 people found this helpful
To find out what triggers the alert you will need to look at it in the NSM, go to Analysis > Attack Log and search for the alerts you want to investigate.
Double click on one of the alerts and look at the Description tab to see the signature it alerts on.
Look at the details tab to see which signature the individual alert triggered on.
You will need to go through the alerts and confirm that they are false positives before you set it to block.
The question you have asked is not all that uncommon. When the signatures are released by McAfee they are in an alerting state not blocking. This is so that you the customer can evaluate what is being blocked, and add exceptions as you see fit to avoid outages when you enable the signature for blocking.
If after reading the Signature descriptions you still have questions, I would recommend asking McAfee for clarification on this signature. If you suspect a false positive, then follow the below KB to engage support.
Grab multiple examples.
Thanks for this.
Now I can inform our users exactly what is being checked and they can make the decision on whether it will affect them.
I will likely block this one.