Hi Pedro,
Yes the alert you're seeing means something is unusual with the format of the
JPEG that is being scanned.
The intention with AlertBrokenMedia is to detect files that don't appear to
follow the specification, just in case there is some vulnerability we don't
know about and in case the file is an exploit. It is far more likely that the
file was created by some software that is just a little careless and doesn't
quite adhere to the spec, but there is a possibility that the JPEG carries an
exploit for some vulnerable image parser.
Basically, AlertBrokenMedia is for people who prefer to be very cautious.
-Micah
> -----Original Message-----
> From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of
> Pedro Guedes via clamav-users
> Sent: Saturday, April 17, 2021 4:12 AM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Cc: Pedro Guedes <sixtriple...@gmail.com>
> Subject: Re: [clamav-users]
> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
>
> Hi
> Thanks for the answer.
> Yes, I did already look at the C code as something to do with jpeg format.
> So JFIFdupAppMarker is an attention to something being wrong?
> And yes I have
> AlertBrokenMedia yes
> in clamd.conf
>
> Well, I keep looking.
> I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.
>
>
>
>
> G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> escreveu
> no dia sábado, 17/04/2021 à(s) 11:40:
> >
> > Hi there,
> >
> > On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> >
> > > What does
> > > Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> > > mean?
> >
> > It means that libclamav found something questionable in data which it
> > identified as of type JPEG. It's only reported by clamd if an option
> > in the configuration is on. The default is off.
> >
> > 8<--------------------------------------------------------------------
> > -- $ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> > clamav-0.103.2/libclamav/jpeg.c
> >
> > if (SCAN_HEURISTIC_BROKEN_MEDIA) {
> > if (found_app && num_JFIF > 0) {
> > cli_warnmsg("JPEG: Duplicate Application
> > Marker found
> (JFIF)\n");
> > cli_warnmsg("JPEG: Already observed JFIF: %d,
> > Exif: %d,
> SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
> > cli_append_possibly_unwanted(ctx,
> "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
> > status = CL_EPARSE;
> > goto done;
> > }
> > if (!(segment == 1 ||
> > (segment == 2 && found_comment) ||
> > 8<--------------------------------------------------------------------
> > --
> >
> > See
> >
> > https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format
> >
> > for more information about the format.
> >
> > It's not unusual to find broken images in things like a browser cache
> > and it might not be a concern, but in mail or elsewhere it might mean
> > that something should be investigated.
> >
> > A little more context might help.
> >
> > --
> >
> > 73,
> > Ged.
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
![Re: [clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker](/search?l=clamav-users@lists.clamav.net&q=subject:%22Re%5C%3A+%5C%5Bclamav%5C-users%5C%5D+Heuristics.Broken.Media.JPEG.JFIFdupAppMarker%22&o=newest){kind=link}
