[sanesecurity] Re: winnow.malware.ts.msofficeupdate.3.UNOFFICIAL

  • From: Tom Shaw <tshaw@xxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Fri, 23 Oct 2009 11:29:29 -0400

At 5:21 PM +0200 10/23/09, Per Jessen wrote:
Tom Shaw wrote:

 At 4:27 PM +0200 10/23/09, Per Jessen wrote:
I just started using the winnow_malware databases yesterday and got a
truckload of FPs - at least 100 at last count.  Did anyone see the

 You sure they were FP's? There was a boatload to fake MS updates for
 office with attached url to Zeus malware over the last day or two.

No, not all of them - I just counted the hits that did not contain a
link or reference to 'update.microsoft.com'.
 I have deactivated the signature in an abundance of caution due to
 your report but I would like confirmation of FP's as all the ones we
 collected here are all phish/malware droppers.

I have 157 mails that hit the signature, but doesn't
contain 'update.microsoft.com'.  I'll be back later with an update.

gzip them to me and I'll take a peak also.


Other related posts: