2 Replies Latest reply on May 30, 2014 2:56 PM by foofightersecurity

    How to resolve HTTP: Hidden or Invisible HTML IFrame Detected false positives?

    foofightersecurity

      Hello,

      Our McAfee IPS's alert on thousands of "HTTP: Hidden or Invisible HTML IFrame Detected" false positives a day. I have checked some of the websites that users access and they are not infected with the js/fortnight@m trojan as the signature suggests should be. At first I thought it was our proxy modifying the website request and delivery in some way, but bypassing the proxy still triggers these alerts.

      Has anyone had any experience similar with this signature and how did you deal with it?

       

      Thanks in advance to those who provide assistance.

       

      Message was edited by: foofightersecurity on 5/16/14 1:59:43 PM CDT
        • 1. Re: How to resolve HTTP: Hidden or Invisible HTML IFrame Detected false positives?
          dt1

          You bring up an issue in my opinion, the name of the signature is "Hidden or Invisible HTML iFrame" ... yet the description says:

           

          "This alert indicates that the webpage the user visited was infected with "JS/Fortnight@M" trojan."

           

          Two very different descriptions, why not tune the signature and call it something more specific to this trojan?  Secondly, a hidden or invisible iframe is not specific to this single threat.  iFrames can be safe, suspicious, or malicious, and, as you are experiencing, very common in enterprise web browsing.  The signature is alerting on an invisible iframe, thus, a low severity event.

           

          In my environment, i've had to disable this alert to a high volume of events.  Another option is to auto acknowledge the alert, therefore the high volume does not appear in the RTTA, however the event is still detected and can be used in correlation or analysis at a later date. 

          • 2. Re: How to resolve HTTP: Hidden or Invisible HTML IFrame Detected false positives?
            foofightersecurity

            Thanks dt1 for the input.

            I agree the descriptions are an issue. That isn't the first signature description in McAfee IPS that are misleading. Although I knew I didn't have the JS/Fortnight@M trojan and there was other hidden IFrames content that was triggering the signature and I am still faced with thousands of alerts being triggered.

             

            I like your second option the best as I do want to be able to analyze these further if required.

             

            I was most interested in your admission that your environment generates a high volume of these alerts as well...I am not alone.