Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

Intrusion reported, but why?


I am running Windows XP Pro.

Norton Internet Security 2005 reported this error several times at the same site on my machine.  

Attempted Intrusion "MSIE_File_Drag_and_Drop_Embed_Code" against your machine was detected and blocked.
Intruder: my.domain.com(xx.xx.xx.xxx)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP:
Attacked Port: 2011.

Now, I have a special concern about this because I actually created the files at that website and it's mostly plain vanilla html with drop down menus made using my software suite.  There are 4 files that use php to create a small database and this database is used in only one area of the site.  When surfing to this site, the home page comes up, but then the pattern becomes erratic.  If I click on the starting page for the dynamic pages, that also comes up, but the persuant files do not.  After that, the rest of the site (html files) will not display either.  

I called Symantec and spent 2 hours with them today. They are now "researching" this issue and will call me back tomorrow.  They did duplicate the problem. If I turn the Internet Security off the entire site displays just fine.  There is really nothing particularly unusual about this site.  It has been functioning well since it was installed on the server.  I'm not certain how long this has been going on, but a search for this problem brought me to this page:

http://www.symantec.com/avcenter/security/Content/2005.02.14.html   which states that on Feb 14 some update addressed the issue of MSIE_File_Drag_and_Drop_Embed_Code.   I wonder if that is when the issue actually began.  

I've called the web host for the site and he cannot identify anything at all wrong with the site.  I'm not certain what could be tripping this intrusion report but the bottom line is that I fear that a substantial number of people may have difficulty viewing the site and I don't know what to do.  I don't know what this is referring to.  There are no files to drag and drop on this site.  I do have a couple of links to .pdf files on some pages, and outbound links to other sites too, but as I said, it's all been working just fine up until now for a long time.  

I found some further information that is difficult for me to understand, yet I believe may be related, at this page:  http://www.sans.org/newsletters/risk/vol3_33.php

How can I fix something when I don't know what's causing the issue?!!  Help!!  I am responsible for making this website work properly.

I have NO problems whatsoever with other pages on the net on this system.  
1 Solution
Not to trivialize your issue, but there are quite a few IDS/IPS signatures that are written very poorly...

This one sounds like a false-positive, but since you alerted Symantec to the problem they will probably also corroborate my opinion and come up with an update.

They do not provide any further information on the details of this signature and I'm guessing that this alert was meant to detect when Websites are either depositing files to your system (e.g. Open, Save, etc. dialogue windows) or that am embedded Web function called a file to be read.

Regardless, this is probably a false-positive and I would ignore the alert until Symantec fixes it or states that it's a bogus alert and to simply ignore it.
linqueAuthor Commented:

Yup, they have been working with me.. I've been passed to the software development and research team.  It's frustrating and they move a bit slowly, but in the end they are trying to be helpful both to me and to themselves.  Thank you for your thoughtful opinion

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now