Tom Shaw wrote: > At 5:21 PM +0200 10/23/09, Per Jessen wrote: >> >>I have 157 mails that hit the signature, but doesn't >>contain 'update.microsoft.com'. I'll be back later with an update. >> > > gzip them to me and I'll take a peak also. > Umm, something's weird - I've just handtested a couple of these suspect FPs with clamscan, and didn't see a hit. (We're using clamd in production). I might have been a little early with the FP report. /Per Jessen, Zürich