[sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL
- From: Per Jessen <per@xxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Fri, 23 Oct 2009 17:21:02 +0200
Tom Shaw wrote:
> At 4:27 PM +0200 10/23/09, Per Jessen wrote:
>>I just started using the winnow_malware databases yesterday and got a
>>truckload of FPs - at least 100 at last count. Did anyone see the
>>same?
>
> You sure they were FP's? There was a boatload to fake MS updates for
> office with attached url to Zeus malware over the last day or two.
No, not all of them - I just counted the hits that did not contain a
link or reference to 'update.microsoft.com'.
> I have deactivated the signature in an abundance of caution due to
> your report but I would like confirmation of FP's as all the ones we
> collected here are all phish/malware droppers.
I have 157 mails that hit the signature, but doesn't
contain 'update.microsoft.com'. I'll be back later with an update.
/Per Jessen, Zürich
Other related posts:
