On 9 Aug 2012, at 19:23, Henrik K <h...@hege.li> wrote:
> On Thu, Aug 09, 2012 at 02:07:22PM -0400, Alex wrote:
>> Hi,
>>
>>>> # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs
>>>> Does anyone know what's going on with this domain? It doesn't look
>>>> like a domain thousands of my users would be including in their email
>>>> on Aug 7th, so I don't know whether the emails were really spam...
>>>
>>> Hi Alex,
>>>
>>> The problem I think was that the sig was bad and it matching anything
>>> "www." hence the huge number of FP's....
>>
>> I thought the signatures were fixed? In other words, simple pattern
>> matching for a fixed string.
>>
>> I didn't realize it was dynamic and could match an expression, or am I
>> missing something?
>
> MBL's signature download (http) is unreliable and sometimes gives out
> incomplete files. Obviously if the file cuts out in the middle of signature
> this can happen.
>
Sorry off subject, but...
Really? Surely no engine would allow incomplete signatures to load and be used?
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
