Helga Fcours wrote:
Does the mytob.gh signature match on most morphine/mew packed
binaries? Bagle.BB-gen matches all pex packed binaries that are not
infected (notepad and wordpad included) and the pex packer binary
itself as Bagle.BB-gen, so I suspect that this mytob signature might
be doing the same thing.
Clam, in a similar way, detects the morphine packer itself as
mytob.gh and it is not infected. What is the sig targeting?
Both signatures probably detects the packer (I know for a fact that
Bagle.BB-gen does).
These signatures has been successful in preventing outbreaks of new of
Mytob/Bagle variants, which is why they're still in the db. FP has been
handled by explicit whitelisting binaries that also uses these packers
(e.g. IIRC an older version Kazaa).
Your FP submissions are packed notepad samples. It would serve no
"benefit" to whitelist them - had it been "useful" binaries I would
gladly have added them :-)
BTW: You may encounter same problem with other av-scanners.
Best regards,
Diego d'Ambra
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
