Hi there,
On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
What does
Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
mean?
It means that libclamav found something questionable in data which it
identified as of type JPEG. It's only reported by clamd if an option
in the configuration is on. The default is off.
8<----------------------------------------------------------------------
$ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
clamav-0.103.2/libclamav/jpeg.c
if (SCAN_HEURISTIC_BROKEN_MEDIA) {
if (found_app && num_JFIF > 0) {
cli_warnmsg("JPEG: Duplicate Application Marker found
(JFIF)\n");
cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d,
SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
cli_append_possibly_unwanted(ctx,
"Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
status = CL_EPARSE;
goto done;
}
if (!(segment == 1 ||
(segment == 2 && found_comment) ||
8<----------------------------------------------------------------------
See
https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format
for more information about the format.
It's not unusual to find broken images in things like a browser cache
and it might not be a concern, but in mail or elsewhere it might mean
that something should be investigated.
A little more context might help.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
![Re: [clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker](/search?l=clamav-users@lists.clamav.net&q=subject:%22Re%5C%3A+%5C%5Bclamav%5C-users%5C%5D+Heuristics.Broken.Media.JPEG.JFIFdupAppMarker%22&o=newest){kind=link}
