8 Replies Latest reply: Mar 16, 2012 12:59 PM by Travler RSS

    False positive...?


      Anyone else experience the following?


      After our sensor received the signature file in the early morning hours of March 2nd, we started getting tons of email alerts for the following:


      HTTP: IE CreateTextRange Code Execution Vulnerability


      These "attacks" were from a few hundred different IPs mostly to our Web Gateway.  (A few were from our Web Gateway to our Firewall.)


      Today, I reverted our sensor to the signature file and the alerts immediately stopped and I haven't received a single one since.


      Any thoughts?

        • 1. Re: False positive...?

          Same issue here...

          • 2. Re: False positive...?

            How to revert sensor to original sin version?

            • 3. Re: False positive...?

              @rangerlj  Here's how I rolled the signature back from to

              Keep in mind that this is for Network Security Manager so your version may be different.


              1) Download the old signature file.
              Navigate to:
              Configure page
              Manager in Resource Tree
              Update Server tab
              Signatures sub-tab
              Choose version: and click Download.
              Wait for download to complete and Close small download window.


              2) Push the old signature file to the sensor.
              Navigate to one of the Configuration Update pages.
              (I can't remember exactly which of these pages I used, but I think the one under Device List / Configuration Update should work fine.  The other two Configuration Update pages I know of are located under Device List / *sensor name* / Phusical Sensor / Configuration Update and IPS Settings / *sensor name* / Configuration Update)
              Confirm that the signature file is listed under Pending Changes and that the Update check box is checked
              Click on Update.


              3) I also disabled my nightly scheduled Signature Set Download task so the system wouldn't simply pull back down.  This task is located here:

              Device List / Update Server / Scheduler / Signature Set Download Scheduler

              Click No and Apply.


              Hope this helps.

              • 4. Re: False positive...?

                Thanks a lot! My friend!

                • 5. Re: False positive...?

                  I see that McAfee has released signature set   Searching KB55446 leads me to the KB pages for the individual signature sets.  Both signature sets in question ( - the original one I've had issues with, and - the latest signature set) state the following as pertains to the vulnerability in question:


                  HIGH - HTTP: IE CreateTextRange Code Execution Vulnerability (0x4022ad00):Exploit:

                  Signature change to improve detection accuracy and/or performance. This alert requires the HTTP response feature to be enabled.


                  I hope I'm correct in interpreting this fact to mean that they originally changed something with which caused my problem, and that they've now fixed this with  Unfortunately, I'm too chicken to test it on a Friday and will wait to apply until next Monday (3/19/12).  If anyone tries updating to in the meantime, please post your experiences here.

                  • 6. Re: False positive...?

                    This (and other) false positives are corrected on the latest sigset

                    • 7. Re: False positive...?

                      Fantastic news!  Thanks for the info, daloy!

                      • 8. Re: False positive...?

                        Based on daloy's response that this issue was a known false-positive, I have gone ahead and installed the signature set (despite it being Friday ).  I've been monitoring the alerts since then and have not seen any recurrence of this issue.


                        I think this issue is resolved.  (If it isn't, I'll update this thread at that time.)


                        Thanks again for the confirmation, daloy!