Author Topic: meanings of "suspicious whitespace" and "<iframe> tag found" (Read 2342 times)

nweissma · « **on:** June 14, 2007, 07:23:11 AM »

the avast free reports, of incoming email,

"suspicious white space sequence"
and "<iframe tag found>"

i know now that all of the instances of the first type have been legitimate, and highly respectable, senders. what does 'suspicious white space' mean?

and what is potentially pernicious about "<iframe>"?

DavidR · « **Reply #1 on:** June 14, 2007, 02:41:27 PM »

It has on occasion been used to mask something, by using spaces to force something out of the limited view, either in the subject but most commonly in the attachment file name, e.g.
"this-is-a-harmless-text-file.txt .exe"

If the sender is placing lots of spaces in the subject or attachment ask them not to or what is the purpose of them doing it.

The iFrame HTML tag is a powerful tool which can import and execute data. Whilst this is fine on a web site for importing dynamic data, it can still be put to malicious purposes as well as good.

It isn't often used in emails and usually for ads, etc. however the potential for harm is great and since avast can't assess that potential at the time of scanning, it has to wait until that content were downloaded (too late) that is why the Heuristics flag it as suspicious.

If you know the remote address/url that the imported data is coming from (and you trust it) you can add that to the permitted URLs in the Heuristics section of the Internet Mail provider.

Remember the alert is over a suspect action and not a certain infection, these actions are controlled by the Heuristic section of the Internet mail provider where the settings can be customised.

Lisandro · « **Reply #2 on:** June 14, 2007, 02:52:18 PM »

The iframe tag is normally used in html pages and is generally used to load dynamic content into a section (frame) of the existing page.
Because it calls another page/url if this is used in an email it can be potentially dangerous.
There is some security settings that you can change to limit this in the Heuristic tab of settings of Internet Mail provider and Outlook plugin.
You can add the url on the frame to the permited urls on that tab of settings

For more information about Iframes you can use the search option on this board and/or read these websites:

http://www.microsoft.com/technet/security/Bulletin/MS04-040.mspx
http://secunia.com/advisories/12959/
http://www.clariondeveloper.com/firewallreporting/IEIframeSettings.htm
http://forum.avast.com/index.php?topic=11637.msg98436#msg98436The iframe tag is normally used in html pages and is generally used to load dynamic content into a section (frame) of the existing page.
Because it calls another page/url if this is used in an email it can be potentially dangerous.
There is some security settings that you can change to limit this in the Heuristic tab of settings of Internet Mail provider and Outlook plugin.
You can add the url on the frame to the permited urls on that tab of settings

For more information about Iframes you can use the search option on this board and/or read these websites:

http://www.microsoft.com/technet/security/Bulletin/MS04-040.mspx
http://secunia.com/advisories/12959/
http://www.clariondeveloper.com/firewallreporting/IEIframeSettings.htm
http://forum.avast.com/index.php?topic=11637.msg98436#msg98436

Author Topic: meanings of "suspicious whitespace" and "<iframe> tag found" (Read 2342 times)

nweissma

meanings of "suspicious whitespace" and "<iframe> tag found"

DavidR

Re: meanings of "suspicious whitespace" and "<iframe> tag found"

Lisandro

Re: meanings of "suspicious whitespace" and "<iframe> tag found"