Hi All, Just to provide a quick explanation on what happened to those who were/are using the MBL signatures and the MBL_144360 signature. Firstly, MBL_144360 signature(s) are produced and distributed by Malware Patrol (http://www.malware.com.br/index.shtml) and aren't distributed by the Sanesecurity mirrors and therefore can't be checked for any BIG False Positive problems by me. As soon as I began to see False Positive reports early this morning (UK time) two things happened: 1) MBL_144360 was added to sigwhitelist.ign2 This file is distributed on the Sanesecurity mirrors and is used to quickly disable ANY signatures which are causing a problem. The good thing is that this change would also have disabled the faulty signature produced by Malware Patrol, however, the downside is that until the end-user checks the mirror for an update, they wouldn't have received this update. If you only check the mirrors ONCE a day, it'll be 24 hours before you'd have received a fix... people checking hourly, would obviously have receive the fix in an hour. 2) An announcement was then made to the Sanesecurity and Sanesecurity announce mailing list(s) to alert people what had happened and then I proceeded to check what might have happened to their signature. What went wrong, well... I think they put out an update which had a problem... this is the signature concerned: MBL_144360:0:*:7570646174Which decodes to "updat".
In a nutshell... any email containing the word "updat" would be flagged as a virus (ie. updated, updates), that's why there were sooo many false positives. Some point later, Malware Patrol did another update, this time the signature (using the same signature name) changed to: MBL_144360:0:*:7570646174652e6d756c746976616363696e652e636f2e6b722f736574757061 Which decodes to "update DOT multivaccine DOT co DOT kr/setupa" (remove the DOTs)So, again.. depending on how many times your script updates from them, depended on how long you were exposed to the problem.
I think that about covers what actually happened... and I apologise for everyone that got hit with this one, even though this was out of my control. What is in my control is the ham checks done, using signatures produced/distributed by the Sanesecurity mirrors before the signatures are pushed out the the mirrors, which is designed to try and avoid situations like this. Out of interest, I scanned my ham data with the faultly Malware Patrol database, this is what happened: Scanned files: 496 Infected files: 123 So, that sig would have been rejected before getting out.. so, if there is a positive in this, it's that my ham data check would have worked as designed. Thanks for listening and hope this comes some way to explain what happened. Cheers, Steve Sanesecurity