[sanesecurity] Re: MBL_144360 update
- From: Leen Besselink <leen@xxxxxxxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Sat, 05 Mar 2011 00:15:48 +0100
On 03/04/2011 09:08 PM, Steve Basford wrote:
> Hi All,
>
Hello Steve and the rest of the list,
[..snip..]
> What went wrong, well... I think they put out an update which had a
> problem... this is the signature concerned:
>
> MBL_144360:0:*:7570646174
>
> Which decodes to "updat".
> In a nutshell... any email containing the word "updat" would be
> flagged as a virus (ie. updated, updates), that's why there were sooo
> many false positives.
>
Maybe I'm mistaken, but I think this has been suggested before. Couldn't
we just block short signatures from Malware Patrol by default ? That
would prevent these false positives.
> Some point later, Malware Patrol did another update, this time the
> signature (using the same signature name) changed to:
>
> MBL_144360:0:*:7570646174652e6d756c746976616363696e652e636f2e6b722f736574757061
>
>
> Which decodes to "update DOT multivaccine DOT co DOT kr/setupa"
> (remove the DOTs)
[..snip..]
> Thanks for listening and hope this comes some way to explain what
> happened.
>
Thank you for taking the time to look into it.
> Cheers,
>
> Steve
> Sanesecurity
>
Cheers to you to,
Leen.
Other related posts:
