Check Yo Sigs

Received an interesting report from a colleague today. Apparently WebRoot released a false positive signature which totally borked Windows and legitimate applications in a substantial volume. I haven't used their software in a while as I've been on Avast for the last decade or so.

Malware scanning itself is something highly selective and rather difficult to perform, particularly due to the usually randomized nature of the malware itself. When I was working in security, I performed a significant number of application level cleanings and found that RegEx was usually the most beneficial, coupled with selective file searching based on ctime & OS reported file type (got a JPEG reported as an ASCII text file? May wanna take a look at it). The DHS Grizzly Steppe report also includes a sample signature of theirs on page 5. Worth a read if you haven't looked at it.