[sanesecurity] Re: False positives on MBL_144360.UNOFFICIAL
- From: Cernohorsky Wolfgang <Wolfgang.Cernohorsky@xxxxxxxxxxxxxxx>
- To: "sanesecurity@xxxxxxxxxxxxx" <sanesecurity@xxxxxxxxxxxxx>
- Date: Mon, 7 Mar 2011 08:07:32 +0000
-----Original Message-----
> From: sanesecurity-bounce@xxxxxxxxxxxxx
> [mailto:sanesecurity-bounce@xxxxxxxxxxxxx] On Behalf Of Henrique de Moraes
> Holschuh
> Sent: Friday, March 04, 2011 6:36 PM
> To: sanesecurity@xxxxxxxxxxxxx
> Subject: [sanesecurity] Re: False positives on MBL_144360.UNOFFICIAL
>
> On 03-03-2011 21:47, Scott Silva wrote:
>> MBL_144360.UNOFFICIAL gives me false positives
>
> Also here, HOWEVER:
>
> The signature identified as such from a fresh download from
> www.malwarepatrol.com.br decodes to
>
> u p d a t e . m u l t i v a c c i n e . c o . k r / s e t u p a
>
> minus the spaces. This string is NOT anywhere in the emails that got
> quarantined here because of the signature.
>
> clamav 0.96.5.
>
> I don't have the problematic mbl.ndb anymore, can anyone that still has it
> decode the sig and check? It might have been updated in the meantime.
>
> Sig I got here:
> MBL_144360:0:*:7570646174652e6d756c746976616363696e652e636f2e6b722f736574757061
>
> If the signature is indeed the one above, bad things might be afoot.
Just checked the latest version I got with clamav-unofficial-sigs.sh:
sigtool --find-sigs MBL_144360 | sigtool --decode-sigs
still finds the signature, nothing changed.
Wolfgang
Other related posts:
