On Sun, 17 Oct 2004 14:54:07 +0100 "Steve Basford" <[EMAIL PROTECTED]> wrote:
> Can someone test ClamAV with these files: > http://www.hiddenbit.org/demo_files/jpeg.zip
ClamAV is technically prepared to catch those files but they require more generic signatures that can produce false positive alerts with JPEG files on versions older than 0.80rc4 (because they don't contain a special JPEG exploit verification code). The database will be updated in the very near future, though.
For those running 0.80rc4 or 0.80 final, you can catch all jpeg exploits with the following signature (add it to a local.ndb file in your database directory):
Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff
Warning: do NOT use this if you're running 0.80rc[123], since it WILL cause false positives. Also, do NOT change the name. The ClamAV code keys off the "Exploit.JPEG.Comment" to remove the false positives -- if you change the name you'll end up blocking ALL jpegs.
Please report back to this list if anyone finds a false positive using this signature.
Disclaimer: I'm not a developer; just a user. This could easily cause your computer to melt.
Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
