|
Doug, The fault is in the detection test not the JPG. And in the fact that this Vulnerability is so new that there has not been the usual time for careful testing before this test was released. (This is also why the test is found in an interim not a fully tested release.) Scott got us a quick fix based what was known at the time. He is also well aware of the "1% problem" and will keep us posted ASAP when a better test is available. For sites that need safety above all else, a broken test is better than nothing. For us (and you?) we just can't have 1% of good files called bad (unless there is a virus outbreak by e-mail that's not caught by normal AV programs). If you need to pass the files and can relay on AV to catch bugs switching back to 1.79-i?? will remove the over active test. I'm guessing (the detail doesn't make much difference) that it is based around a couple of simple string matches. If I find this sting of bytes here and another string of byte somewhere else than bingo a "bad" jpeg. But the test is too simple and is catching files that are not broken. Greg Doug Anderson wrote: Ok, maybe it's just me but something seems funky. Given that 99% of the jpg's will go through no problem and the other 1% will be caught, that means the 1% are unique in some way, shape or form. They are detectable which declude virus does and other virus packages do if you scan all files.In being unique, it was created or saved differently then other jpg's. What seems funky is that an update to the creation software/process should put it within the 99% group. The GDI+ tools, virus detection tools are trying to catch at the reciever/viewer which is good, but it's the creation tools that need updating. What I'm trying to figure here is how to tell users to fix the problems and minimize false positives since we use so many different graphics formats in our business. If they upgrade their software to the highest sp/rev, they have the needed patches from MS, can they open the graphic without being hit and re-save it in a jpg format that will be safe? Did that make any sense? --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. |
