-----Original Message----- > From: sanesecurity-bounce@xxxxxxxxxxxxx > [mailto:sanesecurity-bounce@xxxxxxxxxxxxx] On Behalf Of Henrique de Moraes > Holschuh > Sent: Friday, March 04, 2011 6:36 PM > To: sanesecurity@xxxxxxxxxxxxx > Subject: [sanesecurity] Re: False positives on MBL_144360.UNOFFICIAL > > On 03-03-2011 21:47, Scott Silva wrote: >> MBL_144360.UNOFFICIAL gives me false positives > > Also here, HOWEVER: > > The signature identified as such from a fresh download from > www.malwarepatrol.com.br decodes to > > u p d a t e . m u l t i v a c c i n e . c o . k r / s e t u p a > > minus the spaces. This string is NOT anywhere in the emails that got > quarantined here because of the signature. > > clamav 0.96.5. > > I don't have the problematic mbl.ndb anymore, can anyone that still has it > decode the sig and check? It might have been updated in the meantime. > > Sig I got here: > MBL_144360:0:*:7570646174652e6d756c746976616363696e652e636f2e6b722f736574757061 > > If the signature is indeed the one above, bad things might be afoot. Just checked the latest version I got with clamav-unofficial-sigs.sh: sigtool --find-sigs MBL_144360 | sigtool --decode-sigs still finds the signature, nothing changed. Wolfgang