Looks like a false positive. I've received notifications for two different patches. I downloaded both of them locally, scanned them with VIPRE, then submitted them to virustotal.com, and clamav was the only vendor that detedted them as malware.
I'm guessing that clamav doesn't like something about the Chinese encoding, or something like that. So, I submitted them as false positives to clamav.net, and whitelisted the windowsupdate.com domain in the Barracuda, and am moving on. Kurt On Tue, Apr 12, 2011 at 14:10, Kurt Buff <[email protected]> wrote: > Anyone seen something like this recently, or have insight into what's > happening? > > I just got a message saying that it blocked this URL twice in about a > 10 minute span. > > http://au.download.windowsupdate.com/msdownload/update/software/secu/2008/07/windowsxp-kb952954-x86-chs_ea9749c96c163b3b60de3c7951ad322ed02f5155.exe > > Interesting things to note: > o- It shows the download as Trojan.Downloader-88218 in both > cases, but the file size listed is different for each instance - > 535478 and 532630 > > o- The URL seems to be for a patch from July of 2008, if you can > trust the directory structure naming listed in the URL and the KB > article listed for it. > > Change I made today on the WSUS server does explain why it's after > this particular update: I updated the language settings so that the > server will handle Chinese (Simplified), Japanese, and Spanish, and > I'm guessing that windowsxp-kb952954-x86-chs_ is the Chinese version > of this particular patch. > > That doesn't explain the blockage, though - I don't know if it's a > correct identification or not. > > Kurt > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
