On Mon, 2004-10-18 at 15:40, Brian Morrison wrote:On Mon, 18 Oct 2004 11:22:01 +0200 Tomasz Kojm <[EMAIL PROTECTED]> wrote:
For those running 0.80rc4 or 0.80 final, you can catch all jpeg exploits with the following signature (add it to a local.ndb file in your database directory):
Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff
Warning: do NOT use this if you're running 0.80rc[123], since it WILL cause false positives. Also, do NOT change the name. The ClamAV code
Please do not use it. It seems the JPEG exploit verificator is still not perfect and may not eliminate all false positive matches.
False alert. It appeared some Japanese camera software creates broken pictures.
So that signature *is* safe to use? Or have I read your comment wrongly?
It should be safe to use with 0.80, but on the other hand, it'll match *every* JPEG file and process them through the false positive elimination code, which will impact performance (very slightly).
Two questions:
Which Japanese camera software? Nearly every digital camera is made by a Japanese company (Nikon, Canon, etc) so this might be important.
Which signature is safe? Mine (shown above)? Or only the slightly more restrictive one that you posted?
Oh, and yeah, the signature was designed to force all JPEG files though the elimination code, hence the name FalsePos. ;)
Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
