HTML:Iframe Exploit - Seems False, Can't get Heuristics working

[steelcuda]

I'm running 4.7 Pro and just recently started getting HTML:Iframe Exploit Virus messages from "some" messages in Outlook Web Access.  When view the message in Outlook 2007, there is no virus warning.  I have not "fixed" the message, since it says it can't be fixed.

I believe this to be a false positive.  I've run a full scan, a malicious software scanner, spybot, scoured over a hijackthis log and see nothing.

Any help would be appreciated.

[DavidR]

You will have noticed that this is classed as suspicious and not infected ?

The iFrame HTML tag is a powerful tool which can import and execute data. Whilst this is fine on a web site for importing dynamic data, it can still be put to malicious purposes as well as good.

It isn't often used in emails and usually for ads, etc. however the potential for harm is great and since avast can't assess that potential at the time of scanning, it has to wait until that content were downloaded (too late) that is why the Heuristics flag it as suspicious.

If you know the remote address/url that the imported data is coming from (and you trust it) you can add that to the permitted URLs in the Heuristics section of the Internet Mail provider.

The Heuristics are in the Outlook/Exchange provider/plug-in.

[Lisandro]

Like David said, the iframe tag is normally used in html pages and is generally used to load dynamic content into a section (frame) of the existing page. Because it calls another page/url if this is used in an email it can be potentially dangerous. You can add the url on the frame to the permitted urls on that tab of settings 

For more information about Iframes you can use the search option on this board and/or read these websites:

http://www.microsoft.com/technet/security/Bulletin/MS04-040.mspx
http://secunia.com/advisories/12959/
http://www.clariondeveloper.com/firewallreporting/IEIframeSettings.htm
http://forum.avast.com/index.php?topic=11637.msg98436#msg98436

[steelcuda]

David and Tech.  Thank you for the replies.  The message that I am getting is "Virus Found!"  My choices are to try and fix or move to the chest.  I've tried to add http://exchange.excella.com (our email server) and exchange.excella.com with no luck.  Am I missing something?  Do I have to restart a service or something to that effect?

Thank you.

[Lisandro]

I've tried to add http://exchange.excella.com (our email server) and exchange.excella.com with no luck.

Maybe the wildcards...
exchange.excella.com*

[DavidR]

David and Tech.  Thank you for the replies.  The message that I am getting is "Virus Found!"  My choices are to try and fix or move to the chest.  I've tried to add http://exchange.excella.com (our email server) and exchange.excella.com with no luck.  Am I missing something?  Do I have to restart a service or something to that effect?

Thank you.

Can you replicate this and either give us the full text (check the avast log viewer, warning section) or a screenshot of the avast alert ?

I don't believe you have to restart a service, but the alert I would suspect isn't for a URL but a HDD location, hence the reason adding your email server to the exclusions doesn't work.