On 3/6/2011 3:43 PM, Alex wrote:
Hi,
$ sigtool --find-sigs MBL_144360 | sigtool --decode-sigs
VIRUS NAME: MBL_144360
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
update.multivaccine.co.kr/setupa
Is that the correct way? I looked at the email itself, and not only is
it from a trusted sender, but it doesn't contain that URL in the
message. Am I missing something?
There was some discussion about this particular signature on
the Sanesecurity list. Archives here:
http://news.gmane.org/gmane.comp.security.virus.clamav.sanesecurity
This signature is provided by Malware Patrol. Apparently,
originally the signature matched the string "updat", which
understandably caused quite a number of false positives.
Later, the signature was replaced with it's current value.
Don't spend too much time trying to debug it now, because the
signature has changed.
-- Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
