Tom Shaw wrote: > At 4:27 PM +0200 10/23/09, Per Jessen wrote: >>I just started using the winnow_malware databases yesterday and got a >>truckload of FPs - at least 100 at last count. Did anyone see the >>same? > > You sure they were FP's? There was a boatload to fake MS updates for > office with attached url to Zeus malware over the last day or two. No, not all of them - I just counted the hits that did not contain a link or reference to 'update.microsoft.com'. > I have deactivated the signature in an abundance of caution due to > your report but I would like confirmation of FP's as all the ones we > collected here are all phish/malware droppers. I have 157 mails that hit the signature, but doesn't contain 'update.microsoft.com'. I'll be back later with an update. /Per Jessen, Zürich