On Wed, 29 Sep 2004, Damian Menscher wrote:
I just upgraded to 0.80rc3 on a RH9 machine. As a test of clamav, I went into my public_html directory and did a clamscan -r. It found one of my images to contain the virus:
[EMAIL PROTECTED] public_html]# clamscan -r . ./Asia_Pics/New Folder/dsc_0009.jpg: Exploit.JPEG.Comment FOUND
But later scans didn't show a problem with it: [EMAIL PROTECTED] New Folder]# clamscan dsc_0009.jpg dsc_0009.jpg: OK
And no, the file didn't change between scans:
[EMAIL PROTECTED] public_html]# ls -l "./Asia_Pics/New Folder/dsc_0009.jpg"
-r-xr-xr-x 1 menscher astro 347067 Jan 10 2004 ./Asia_Pics/New Folder/dsc_0009.jpg
If I had to guess, I'd say clamscan has some uninitialized memory that's causing occasional false positives. If anyone can suggest an alternative explanation, or a way I could debug this further, I'd love to help. Problem is, I can't reproduce the false positive anymore.
Ok, I feel dumb. Turns out the difference was the release of daily 509, which eliminated the false positive. I swear I looked to make sure it wasn't a freshclam update that made it disappear, but checking a second time shows otherwise.
Sorry for the false alarm.
Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
