Ace, > I'm wondering if I should use one of the internal scan engines in my > config file (amavisd-new 2.3.3). > > check-jpeg and check-jpeg-simple are both commended as example and > there's not much information I could find by using google. > Is it recommended (and if yes, which one?) to use one of those checkers > or are they still not really useful. Besides: Aren't most av-checkers > scanning jpegs by default, today? > > Further more I am wondering what File::Scan does and if it's useful. > The only sentence I see again and again on Google is Mark's "if you > believe using File::Scan is worth it". ;)
As far as File::Scan is concerned, I was using it for some time just to see that it works - until it declared a perfectly valid mail a virus and dropped it. This false positive a few months ago made me ditch it altogether. If you have clamd, it does it all and does it far better than File::Scan. The check-jpeg-simple is mostly a demo. Due to the limitation that it only checks the first 32k of a file, it is not a serious scanner, but is a good example for similar code if need arises. The other, larger one: JpegTester.pm (the 'check-jpeg' entry in @av_scanners) on the other hand is a true and carefully written jpeg checker, that truly understands jfif format and parses it properly. The last time I checked, the ClamAV jpeg-checking code was still sloppy, as far as parsing ECS segments is concerned. Nevertheless, jpeg exploits are not particularly popular, and more often than not the JpegTester finds a corrupt jpeg, which was probably not intended to be malicious. And there is a large uncharted territory of exploits in the exif and tiff sections, either stand-alone or as a part of jpeg. As far as I know no popular checker verifies these. So, even though JpegTester.pm does its work well and is not even slow, its usefulness is rather limited at the moment. Mark ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
