You bring up an issue in my opinion, the name of the signature is "Hidden or Invisible HTML iFrame" ... yet the description says:
"This alert indicates that the webpage the user visited was infected with "JS/Fortnight@M" trojan."
Two very different descriptions, why not tune the signature and call it something more specific to this trojan? Secondly, a hidden or invisible iframe is not specific to this single threat. iFrames can be safe, suspicious, or malicious, and, as you are experiencing, very common in enterprise web browsing. The signature is alerting on an invisible iframe, thus, a low severity event.
In my environment, i've had to disable this alert to a high volume of events. Another option is to auto acknowledge the alert, therefore the high volume does not appear in the RTTA, however the event is still detected and can be used in correlation or analysis at a later date.
Thanks dt1 for the input.
I agree the descriptions are an issue. That isn't the first signature description in McAfee IPS that are misleading. Although I knew I didn't have the JS/Fortnight@M trojan and there was other hidden IFrames content that was triggering the signature and I am still faced with thousands of alerts being triggered.
I like your second option the best as I do want to be able to analyze these further if required.
I was most interested in your admission that your environment generates a high volume of these alerts as well...I am not alone.