On 03/04/2011 09:08 PM, Steve Basford wrote: > Hi All, > Hello Steve and the rest of the list, [..snip..] > What went wrong, well... I think they put out an update which had a > problem... this is the signature concerned: > > MBL_144360:0:*:7570646174 > > Which decodes to "updat". > In a nutshell... any email containing the word "updat" would be > flagged as a virus (ie. updated, updates), that's why there were sooo > many false positives. > Maybe I'm mistaken, but I think this has been suggested before. Couldn't we just block short signatures from Malware Patrol by default ? That would prevent these false positives. > Some point later, Malware Patrol did another update, this time the > signature (using the same signature name) changed to: > > MBL_144360:0:*:7570646174652e6d756c746976616363696e652e636f2e6b722f736574757061 > > > Which decodes to "update DOT multivaccine DOT co DOT kr/setupa" > (remove the DOTs) [..snip..] > Thanks for listening and hope this comes some way to explain what > happened. > Thank you for taking the time to look into it. > Cheers, > > Steve > Sanesecurity > Cheers to you to, Leen.