[sanesecurity] Re: False positives on MBL_144360.UNOFFICIAL

From: Henrique de Moraes Holschuh <henrique.holschuh@xxxxxxxxxxxxx>
To: sanesecurity@xxxxxxxxxxxxx
Date: Fri, 04 Mar 2011 14:35:55 -0300

On 03-03-2011 21:47, Scott Silva wrote:

MBL_144360.UNOFFICIAL gives me false positives


Also here, HOWEVER:

The signature identified as such from a fresh download fromwww.malwarepatrol.com.br decodes to


u p d a t e . m u l t i v a c c i n e . c o . k r / s e t u p a

minus the spaces. This string is NOT anywhere in the emails that gotquarantined here because of the signature.


clamav 0.96.5.

I don't have the problematic mbl.ndb anymore, can anyone that still hasit decode the sig and check? It might have been updated in the meantime.


Sig I got here:
MBL_144360:0:*:7570646174652e6d756c746976616363696e652e636f2e6b722f736574757061

If the signature is indeed the one above, bad things might be afoot.

--
Henrique de Moraes Holschuh <hmh@xxxxxxxxxxxxx>
IM@ - Informática de Municípios Associados
Engenharia de Telecomunicações
TEL +55-19-3755-6555/CEL +55-19-9293-9464

Antes de imprimir, lembre-se de seu compromisso com o Meio Ambiente
e do custo que você pode evitar.

Follow-Ups:
- [sanesecurity] Re: False positives on MBL_144360.UNOFFICIAL
  - From: Cernohorsky Wolfgang

References:
- [sanesecurity] False positives on MBL_144360.UNOFFICIAL
  - From: Scott Silva

[sanesecurity] Re: False positives on MBL_144360.UNOFFICIAL

Other related posts: