The scan results below are false positives for Exploit.IFrame.Gen.
I ran a Clamav scan inside the Windows 2000 Vmware machine and it came back clean --zero viruses-- whereas the external scan (of the vmdk file) detected the virus! The other Vmware machines (see below) that came back with Exploit.IFrame.Gen (an IE exploit virus) are Redhat 7.2 and --no-- the redhat machines never ran as mail servers. All scans were run with the same Clamav database update.
There have been reports on some forums of this same false positive problem in Vmware .vmdk files (linuxquestions.com and redhat.com).
Also, other virus scanners did not find the Exploit.IFrame.Gen virus in these same files.
Maybe the simple solution here is to just exclude .vmdk files from the scan.
>From: "Steffen Heil" <[EMAIL PROTECTED]>
>Reply-To: ClamAV users ML <[EMAIL PROTECTED]>
>To: "'ClamAV users ML'" <[EMAIL PROTECTED]>
>Subject: AW: [Clamav-users] VMWARE and False positives?
>Date: Sat, 11 Dec 2004 12:31:20 +0100
>
>Hi
>
>VMDK's are vm-ware's disks. So if you have an infected file in an filesystem
>of a virtual mashine, it is stored in the VMDK.
>So boot your VM and run clamscan there. It will tell you which file in the
>virtual file system is infected.
>
>However, since vmware stores all files in the vmdk, it is NOT a false
>positive.
>Deleting a vmdk (and hence a full virtual drive) is not a good idea for only
>some infected filed.
>
>It would be best to exclude vmdk from virus scanning at the host and also do
>virus scanning at the guest os.
>
>
>Beware, that erased files in the virtual file system will only be
>overwritten in the vmdk, if other data is stored there.
>Hence, the vmdk will stay "infected", if you delete virii from the virtual
>file system.
>(Just as free blocks of a drive will stay infected, if you just delete
>files.)
>
>Regards,
> Steffen
>
>
>
>-----Urspr�ngliche Nachricht-----
>Von: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] Im Auftrag von Scott Moore
>Gesendet: Freitag, 10. Dezember 2004 21:46
>An: [EMAIL PROTECTED]
>Betreff: [Clamav-users] VMWARE and False positives?
>
>I am getting the following in my scans and knowing what I know about Vmware,
>I think they are false positives:
>
>C:\VMware Files\RH72 BASE\Linux.vmdk: Exploit.IFrame.Gen FOUND C:\VMware
>Files\RH72 Test ED\Linux.vmdk: Exploit.IFrame.Gen FOUND C:\VMware Files\W2K
>SQL IIS ActiveX Dev\Windows 2000 Server-02.vmdk:
>Exploit.IFrame.Gen FOUND
>C:\VMware Files\Windows 2000 Server COR\Windows 2000 Server-02.vmdk:
>Exploit.IFrame.Gen FOUND
>
>Has anyone seen anything like this?
>
>
>_______________________________________________
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
><< smime.p7s >>
>_______________________________________________
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
