Christopher X. Candreva wrote:
On Fri, 3 Feb 2006, Diego d'Ambra wrote:
I'm investigating this.
I believe that signature small-1004 is matching some sort of PE
packer/obfuscater and must be updated to avoid detecting unrelated malware.
Personally, I'm not as interested in naming the viruses as much as blocking
them.
If there is a signature that blocks multiple malware, based on some
obfuscater that is in common use, this seems like a good thing, since there
would be the potential of blocking future malware that uses it before we
ever see it.
The problem arise when someone reports a false positive and the
offending signature must be remove (or updated). Then malware that once
where detected isn't any longer.
If matching packer/obfuscater it must be unique and not used in non-malware.
Anyway I'm updating the signature to be equal effective against
yesterday's and today's outbreak.
Best regards,
Diego d'Ambra
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
