Metasploit Exploitation Scenarios – Scenario 3 Astaro Security Gateway & Dr.Web Antivirus

Third scenario of the Metasploit Exploitation Scenarios.

Here, the user is a standard user, protected by 5 countermeasures :

– Firewall rules how limit the outbound connexions only on special ports.
– Transparent HTTP/S Proxy for web surfing.
– Dual antivirus (Avira / Clamav) scanning for web surfing (useless in the case, due to the Astaro bugs).
– Dr.Web Antivirus on the target Windows XP.
– Windows Firewall on the target Windows XP.

Clamav antivirus blocking Yahoo, Apple HTML.IFrame-39

We have experience some issues with Clamav antivirus when trying accessing Yahoo or Apple websites. The access is denied with the “Virus ‘HTML.IFrame-39’ found” message.

The “HTML.IFrame-39” pattern was introduced in the 10766 daily Clamav DB update, dated from Apr 20, 2010, 8:10 PM.

Submission-ID: 15222955
Sender: llattan
Submission notes: Email link leads to a URL not found.
Added: Email.Trojan-162
Added: HTML.IFrame-39

Maybe some more websites are affected by this false positive.

Here under a list of websites affected : http://uk.yahoo.com, http://fr.yahoo.com, http://www.apple.com, http://www.lenovo.com, http://www.aqa.org.uk, http://www.alice-dsl.de, http://www.sky.de