[Emerging-Sigs] FPs on "ET USER_AGENTS Suspicious User-Agent (contains loader)"

Jeff Kell jeff-kell at utc.edu
Tue Oct 12 14:11:47 EDT 2010


 Not sure what the original was intended to look for, but would anchoring the "loader"
with a leading space do the trick?  or was this a generic catch for uploader/downloader?

Jeff

On 10/12/2010 2:06 PM, Jeff Kell wrote:
>  On 10/11/2010 6:46 PM, Jeff Kell wrote:
>>  This signature fires on the Inno Setup Downloader (see
>> http://en.wikipedia.org/wiki/Inno_Setup ).
> Also FPs on "Blizzard Downloader"  (World of Warcraft update engine).
>
> Jeff
>
>



More information about the Emerging-sigs mailing list