Cloud malware false positive recovery

What is claimed is: 1. A method in an antimalware provider, comprising: transmitting a malware signature scan set and a signature identifier list to a plurality of clients, the malware signature scan set including a plurality of malware signatures used to detect content infected with malware, the signature identifier list including signature identifiers for the malware signatures of the malware signature scan set, and malware being a malicious executable software program that performs a function harmful to a computer in response to executing; receiving indications from a subset of the clients that each client of the subset of the clients manually restored content that was indicated as infected by a particular malware signature included in the malware signature set from respective quarantine storages to respective working storages, the respective quarantine storages configured to prevent execution of the content that was indicated as infected in the quarantine storage; determining that the number of clients in the subset is greater than a predetermined threshold number of clients, the predetermined threshold number of clients being based at least on an amount of time that the particular malware signature has been in circulation; generating a revocation list that includes a signature identifier for the particular malware signature; and transmitting the revocation list to the plurality of clients to enable quarantined content to be restored to working storage. 2. The method of claim 1 , wherein generating comprises: generating the revocation list as a result of said determining. 3. The method of claim 2 , wherein the predetermined threshold number of clients is a predetermined percentage of a total number of the clients. 4. The method of claim 2 , further comprising: determining the predetermined threshold based on at least one property of the malware signature. 5. The method of claim 4 , wherein said determining the predetermined threshold based on at least one property of the particular malware signature comprises: determining the amount of time the particular malware signature has been in circulation, and setting the predetermined threshold to be based on the amount of time. 6. The method of claim 4 , wherein said determining the predetermined threshold based on at least one property of the particular malware signature comprises: determining a generator of the particular malware signature as being an analyst or an auto-generator, and setting the predetermined threshold based on the determined generator. 7. The method of claim 1 , further comprising: generating the signature identifiers in the signature identifier list as hashes of the malware signatures of the malware signature scan set. 8. An antimalware provider system, comprising: at least one memory configured to store program instructions; and at least one processor configured to access the at least one memory and to execute the program instructions, the program instructions comprising: first instructions configured to transmit a malware signature scan set and a signature identifier list to a plurality of clients, the malware signature scan set including a plurality of malware signatures used to detect content infected with malware, the signature identifier list including signature identifiers for the malware signatures of the malware signature scan set, and malware being a malicious executable software program that performs a function harmful to a computer in response to executing; second instructions configured to receive indications from a subset of the clients that each client of the subset of the clients manually restored content that was indicated as infected by a particular malware signature included in the malware signature set from respective quarantine storages to respective working storages, the respective quarantine storages configured to prevent execution of the content that was indicated as infected in the quarantine storage; third instructions configured to determine that the number of clients in the subset is greater than a predetermined threshold number of clients, the predetermined threshold number of clients being based at least on an amount of time that the particular malware signature has been in circulation; fourth instructions configured to generate a revocation list that includes a signature identifier for the particular malware signature; and fifth instructions configured to transmit the revocation list to the plurality of clients to enable quarantined content to be restored to working storage. 9. The antimalware provider system of claim 8 , wherein the fourth instructions are also configured to: generate the revocation list as a result of said determining. 10. The antimalware provider system of claim 9 , wherein the predetermined threshold number of clients is a predetermined percentage of a total number of the clients. 11. The antimalware provider system of claim 9 , further comprising sixth instructions configured to: determine the predetermined threshold based on at least one property of the malware signature. 12. The antimalware provider system of claim 11 , wherein the sixth instructions are configured to: determine the amount of time the particular malware signature has been in circulation, and setting the predetermined threshold to be based on the amount of time. 13. The antimalware provider system of claim 8 , further comprising seventh instructions configured to: generate the signature identifiers in the signature identifier list as hashes of the malware signatures of the malware signature scan set. 14. A computer-readable program memory having computer program instructions recorded thereon that, when executed by a processing device, perform a method in an antimalware provider, the method comprising: transmitting a malware signature scan set and a signature identifier list to a plurality of clients, the malware signature scan set including a plurality of malware signatures used to detect content infected with malware, the signature identifier list including signature identifiers for the malware signatures of the malware signature scan set, and malware being a malicious executable software program that performs a function harmful to a computer in response to executing; receiving indications from a subset of the clients that each client of the subset of the clients manually restored content that was indicated as infected by a particular malware signature included in the malware signature set from respective quarantine storages to respective working storages, the respective quarantine storages configured to prevent execution of the content that was indicated as infected in the quarantine storage; determining that the number of clients in the subset is greater than a predetermined threshold number of clients, the predetermined threshold number of clients being based at least on an amount of time that the particular malware signature has been in circulation; generating a revocation list that includes a signature identifier for the particular malware signature; and transmitting the revocation list to the plurality of clients to enable quarantined content to be restored to working storage. 15. The computer-readable program memory of claim 14 , wherein generating comprises: generating the revocation list as a result of said determining. 16. The computer-readable program memory of claim 15 , wherein the predetermined threshold number of clients is a predetermined percentage of a total number of the clients. 17. The computer-readable program memory of claim 15