Hi there, On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
What does Heuristics.Broken.Media.JPEG.JFIFdupAppMarker mean?
It means that libclamav found something questionable in data which it identified as of type JPEG. It's only reported by clamd if an option in the configuration is on. The default is off. 8<---------------------------------------------------------------------- $ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker clamav-0.103.2/libclamav/jpeg.c if (SCAN_HEURISTIC_BROKEN_MEDIA) { if (found_app && num_JFIF > 0) { cli_warnmsg("JPEG: Duplicate Application Marker found (JFIF)\n"); cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d, SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF); cli_append_possibly_unwanted(ctx, "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker"); status = CL_EPARSE; goto done; } if (!(segment == 1 || (segment == 2 && found_comment) || 8<---------------------------------------------------------------------- See https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format for more information about the format. It's not unusual to find broken images in things like a browser cache and it might not be a concern, but in mail or elsewhere it might mean that something should be investigated. A little more context might help. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml