Hi
I'm using clamav with a messagewall MTA and run freshclam 0.83 to get updates of main.cvd & daily.cvd, to convert to messagewall format I run a perl script buildpattern.pl, which uses sigtool 0.83 to unpack the .cvd files and merge them. I started seen this in the daily.db since the Daily update 756: mh4:/tmp> grep == daily.db WinREG.Lowzones.A (Clam)==530065007400740069006e00670073005c005a006f006e00650073005c0034005d000d000a002200310030003000310022003d00640077006f00720064003a00300030003000300030003000300033000d000a002200310030003000340022003d00640077006f00720064003a00300030003000300030003000300033000d000a00220031003200 Is this consider a true valid signature, since I've always for the past +2 years only seen signatures made of hex digits or my buildpattern.pl only filters out such? Having the signature starting with a '=' sign coursed my buildpattern.pl to give a empty signature in the merged output making messagewall match 30-40% of all messages like a WinREG.Lowzones.A false positive virus :( /Steffen _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
