@rangerlj Here's how I rolled the signature back from 220.127.116.11 to 18.104.22.168.
Keep in mind that this is for Network Security Manager 22.214.171.124 so your version may be different.
1) Download the old signature file.
Manager in Resource Tree
Update Server tab
Choose version: 126.96.36.199 and click Download.
Wait for download to complete and Close small download window.
2) Push the old signature file to the sensor.
Navigate to one of the Configuration Update pages.
(I can't remember exactly which of these pages I used, but I think the one under Device List / Configuration Update should work fine. The other two Configuration Update pages I know of are located under Device List / *sensor name* / Phusical Sensor / Configuration Update and IPS Settings / *sensor name* / Configuration Update)
Confirm that the signature file is listed under Pending Changes and that the Update check box is checked
Click on Update.
3) I also disabled my nightly scheduled Signature Set Download task so the system wouldn't simply pull 188.8.131.52 back down. This task is located here:
Device List / Update Server / Scheduler / Signature Set Download Scheduler
Click No and Apply.
Hope this helps.
I see that McAfee has released signature set 184.108.40.206. Searching KB55446 leads me to the KB pages for the individual signature sets. Both signature sets in question (220.127.116.11 - the original one I've had issues with, and 18.104.22.168 - the latest signature set) state the following as pertains to the vulnerability in question:
HIGH - HTTP: IE CreateTextRange Code Execution Vulnerability (0x4022ad00):Exploit:
Signature change to improve detection accuracy and/or performance. This alert requires the HTTP response feature to be enabled.
I hope I'm correct in interpreting this fact to mean that they originally changed something with 22.214.171.124 which caused my problem, and that they've now fixed this with 126.96.36.199. Unfortunately, I'm too chicken to test it on a Friday and will wait to apply 188.8.131.52 until next Monday (3/19/12). If anyone tries updating to 184.108.40.206 in the meantime, please post your experiences here.
Based on daloy's response that this issue was a known false-positive, I have gone ahead and installed the 220.127.116.11 signature set (despite it being Friday ). I've been monitoring the alerts since then and have not seen any recurrence of this issue.
I think this issue is resolved. (If it isn't, I'll update this thread at that time.)
Thanks again for the confirmation, daloy!