On Sun, 2011-03-06 at 15:39 -0500, Alex wrote: > Some time ago I posted a message requesting help tracking down a false > positive, and trying to learn why it triggered. I have another one.
Yes, back in Sep 2010. A lot of people using threading and keeping an archive are unlikely to ever read this new-spawned sub-thread. IMHO, a new FP months later warrants a new thread... > $ sigtool --find-sigs MBL_144360 | sigtool --decode-sigs > VIRUS NAME: MBL_144360 > TARGET TYPE: ANY FILE > OFFSET: * > DECODED SIGNATURE: > update.multivaccine.co.kr/setupa > > Is that the correct way? I looked at the email itself, and not only is > it from a trusted sender, but it doesn't contain that URL in the > message. Am I missing something? This has extensively been discussed on the sanesecurity mailing list (even though it is unrelated to sanesecurity). This MBL sig used to be a broken, plain 'updat'. It has been fixed since, and re-issued using the same sig name. For the full story, see this. http://article.gmane.org/gmane.comp.security.virus.clamav.sanesecurity/3092 -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
