Re: [clamav-users] Help, we are still seeing issues

2021-04-17 Thread G.W. Haywood via clamav-users 

Hi there,

On Sat, 17 Apr 2021, Robert M. Stockmann via clamav-users wrote:


... one would expect the daily.cvd to be the smallest file ...


Nope.

--

73,
Ged.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

2021-04-17 Thread Richard Graham via clamav-users 
Oops, my first email text formatting may have destroyed the contents.
Here's another try.

On Sat, Apr 17, 2021 at 8:55 PM Richard Graham  wrote:
> >
> > Very curious!  It seems to work as expected on my Fedora 32 system.  If
> you run clamscan with the --debug option, you can see it load the ".fp"
> files (all lots and lots of other stuff too!).
> >
> > $ clamscan --version
> > ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
> >
> > $ cat /var/lib/clamav/xmr-stak-linux.fp
> > 2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz
> >
> > $ clamscan -av /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> > Scanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> > Scanning
> /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak
> > /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz: OK
> >
> > --- SCAN SUMMARY ---
> > Known viruses: 12743774
> > Engine version: 0.103.2
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 16.49 MB
> > Data read: 1.99 MB (ratio 8.28:1)
> > Time: 25.887 sec (0 m 25 s)
> > Start Date: 2021:04:17 20:52:21
> > End Date:   2021:04:17 20:52:47

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Help, we are still seeing issues

2021-04-17 Thread Robert M. Stockmann via clamav-users 
On Sat, 17 Apr 2021, Joel Esler (jesler) via clamav-users wrote:

> Date: Sat, 17 Apr 2021 18:58:04 +
> From: "Joel Esler (jesler) via clamav-users"
> 
> To: "Joel Esler (jesler) via clamav-users" 
> Cc: "Joel Esler (jesler)" 
> Subject: [clamav-users] Help, we are still seeing issues
> 
> Please take a few moments to check your ClamAV freshclam installations.  Are 
> you removing your mirrors.dat file after every run of Freshclam or cvdupdate?
> 
> We are seeing a few IPs, who have upgraded to 103.2 still downloading the 
> entire daily.cvd and main.cvd every update.  I am thinking this is because 
> the installation has a script that is deleting the mirrors.dat file, or has 
> the “OnErrorExecute” command in the Freshclam.conf file set to delete 
> this file, or freshclam can’t write the file in the first place (which 
> shouldn’t be possible).
> 
> Please double check your installations?  You may need even go so far as to 
> create a new freshclam.conf file.
> 
> If your downloads were working and now you are getting 403’s from 
> Cloudflare and you’re on 103.2, the above situation may be the reason.  
> Please double check the situation and feel free to write me back.  We’ve 
> seen about 34,000 downloads of the main and daily in the past 24 hours from 
> these couple of IPs.
> 
> I can tell the difference between a properly functioning copy of freshclam 
> and not, very easily by looking at the files being downloaded.  If an 
> installation grabs the cvd and then grabs the cdiffs the next day, it’s 
> properly functioning.
> 
> But downloading the entire daily and main every 5 minutes or so indicates to 
> me that something is broken.
> 

Here's the freshclam virus data files which were first downloaded when
i upgraded to 0.103.2 :

   [hubble:stock]:(/var/lib/clamav)$ ll 
   total 429572
   -rw-r--r--  1 clamav clamav293670 Apr  8 02:37 bytecode.cvd
   -rw-r--r--  1 clamav clamav 321713152 Apr 17 14:07 daily.cld
   -rw-r--r--  1 clamav clamav 117859675 Apr  8 02:37 main.cvd
   -rw-r--r--  1 clamav clamav69 Apr  8 02:36 mirrors.dat
   [hubble:stock]:(/var/lib/clamav)$ clamdscan --version
   ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
   [hubble:stock]:(/var/lib/clamav)$ 

As you can see, the daily.cld is from today, Apr 17, and the others
were downloaded on the day of upgrade. However one would expect the
daily.cvd to be the smallest file, instead its the biggest
with 307M in size. 


-- 
Robert M. Stockmann - RHCE
Network Engineer - UNIX/Linux Specialist
crashrecovery.org  st...@stokkie.net


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Help, we are still seeing issues

2021-04-17 Thread Joel Esler (jesler) via clamav-users 
Please take a few moments to check your ClamAV freshclam installations.  Are 
you removing your mirrors.dat file after every run of Freshclam or cvdupdate?

We are seeing a few IPs, who have upgraded to 103.2 still downloading the 
entire daily.cvd and main.cvd every update.  I am thinking this is because the 
installation has a script that is deleting the mirrors.dat file, or has the 
“OnErrorExecute” command in the Freshclam.conf file set to delete this file, or 
freshclam can’t write the file in the first place (which shouldn’t be possible).

Please double check your installations?  You may need even go so far as to 
create a new freshclam.conf file.

If your downloads were working and now you are getting 403’s from Cloudflare 
and you’re on 103.2, the above situation may be the reason.  Please double 
check the situation and feel free to write me back.  We’ve seen about 34,000 
downloads of the main and daily in the past 24 hours from these couple of IPs.

I can tell the difference between a properly functioning copy of freshclam and 
not, very easily by looking at the files being downloaded.  If an installation 
grabs the cvd and then grabs the cdiffs the next day, it’s properly functioning.

But downloading the entire daily and main every 5 minutes or so indicates to me 
that something is broken.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

2021-04-17 Thread Richard Graham via clamav-users 
Very curious!  It seems to work as expected on my Fedora 32 system.  If you
run clamscan with the --debug option, you can see it load the ".fp" files
(all lots and lots of other stuff too!).



*$ clamscan --versionClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021*



*$ cat /var/lib/clamav/xmr-stak-linux.fp
2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz*
















*$ clamscan -av
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz:
OK--- SCAN SUMMARY ---Known viruses: 12743774Engine
version: 0.103.2Scanned directories: 0Scanned files: 1Infected files: 0Data
scanned: 16.49 MBData read: 1.99 MB (ratio 8.28:1)Time: 25.887 sec (0 m 25
s)Start Date: 2021:04:17 20:52:21End Date:   2021:04:17 20:52:47*


On Tue, Apr 13, 2021 at 5:29 PM Pavel Řezníček 
wrote:

> Hello folks,
>
> I am new to this mailing list. I’ve got a question related to ClamAV’s
> .fp files. Since I am a Ubuntu user, I asked my question on
> askubuntu.com:
>
> https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2.
>
> Got directed to a ClamAV forum so I am here. Copying my original post.
>
> My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
>
> Trying to make ClamAV ignore several files. These are almost cryptocoin
> miners which I do use. Cryptocoin miners get flagged by most antivirus
> programs for they can be distributed as malware (using other people’s
> computers for the attacker’s profit). At the same time, they can be used
> for a tiny profit by the computer’s user himself, knowing what he is
> doing. ClamAV also reports the miners as malware and I’d like to teach
> it to ignore the files I actually use, knowing what I am doing.
>
> I also want to ignore the files on a per-file basis. Ignoring a whole
> malware type can be dangerous.
>
> Well, still no success here.
>
> Read this manual page: http://pig.made-it.com/clamav.html
> .
>
> Then this manual page:
> https://www.clamav.net/documents/allow-list-databases
> .
>
> Then this: https://www.clamav.net/documents/file-hash-signatures
> .
>
> In all these documents, they state that all I have to do is:
>
>   * Create a file in the ClamAV database folder (on Ubuntu, it’s
> /var/lib/clamav) with the |.fp| extension,
>   * place the file signatures therein, following the format
> |MD5:SIZE:COMMENT|, one per line,
>   o |MD5| being the MD5 sum of the file,
>   o |SIZE| being the file size, and
>   o |COMMENT| being anything, defaulting to the file name.
>
> However, this
>  blog entry
> states that the format has to be |MD5:SIZE:ID_NAME|, where:
>
>   * |ID| is a 6-digit identifier (can be the current date in the
> |YYMMDD| format) and
>   * |NAME| is the file name *without the extension.*
>
> Tried to follow even the second, restricted ruleset but to no avail.
> Clamscan still marks the file as a virus.
>
> I have got this file:
>
> |clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav
> clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
>
> with this content:
>
> |2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
>
> |
>
> Then I run |clamscan|:
>
> |clamav@precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a
> kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
> /home/pavel/Installace/Těžba a
> kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
> Multios.Coinminer.Miner-6781728-2 FOUND --- SCAN SUMMARY
> --- Known viruses: 8653609 Engine version: 0.102.4 Scanned
> directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB
> Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
>
> So I still get a detection. What am I doing wrong?
>
> Cheers,
> Pavel Řezníček
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

2021-04-17 Thread Paul Kosinski via clamav-users 
It's worse than that. Not only do almost all users ignore security (as do many 
organizations), it seems that every new piece or version of software or 
hardware *reduces* security. And this applies to some new protocols (remember 
WiFi's WEP debacle?) and some extensions to or uses of existing ones.

It's all done in the name of convenience, and, in particular, striving for 
universal inter-connectedness. For example, I have fairly recently started 
receiving spam TXT messages containing links to who-knows-what. Yet (some) 
Samsung smart phones urge you to "share your contact list with others" -- and 
this admonition can't be disabled, it seems.

Another example is we got a new air-conditioner that has WiFi built-in, but 
it's only usable via the GE/Haier server, not locally (which might actually be 
useful). Luckily, the WiFi can be disabled (supposedly), so maybe this will 
stop it from being part of an IoT botnet, since its tiny computer likely can't 
get security updates.

In other words, securing email may be the least of our problems in the near 
future.


On Sat, 17 Apr 2021 13:14:40 +0100
Pedro Guedes via clamav-users  wrote:

> Hi again.
> 
> Well, the source ...
> .. you known users most of the time have no idea what are doing.
> Seems a usual correspondent but,  who knows.
> Since mail is responsible for 99% of malware and dirt and
> because users hate security, bad for day to day work the only solution
> is using clamav-milter whitelist addresses.
> Mail is a complete anarchy, no way blocking failed SPF, DKIM signatures,
> DMARC, etc
> Because no one does anything and so if you block a lot of important
> emails block.
> 
> Media all around talk about security but no one does nothing.
> Even most important banks don't even have DNSSEC and when they have is
> incorrect.
> 
> Dkim? To much trouble
> Dnssec? To much trouble.
> 
> And with all he monopoly on the clouds things get even worse

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

2021-04-17 Thread Pedro Guedes via clamav-users 
Hi again.

Well, the source ...
.. you known users most of the time have no idea what are doing.
Seems a usual correspondent but,  who knows.
Since mail is responsible for 99% of malware and dirt and
because users hate security, bad for day to day work the only solution
is using clamav-milter whitelist addresses.
Mail is a complete anarchy, no way blocking failed SPF, DKIM signatures,
DMARC, etc
Because no one does anything and so if you block a lot of important
emails block.

Media all around talk about security but no one does nothing.
Even most important banks don't even have DNSSEC and when they have is
incorrect.

Dkim? To much trouble
Dnssec? To much trouble.

And with all he monopoly on the clouds things get even worse

G.W. Haywood via clamav-users  escreveu
no dia sábado, 17/04/2021 à(s) 12:27:
>
> Hi there,
>
> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> > G.W. Haywood via clamav-users ... sábado, 17/04/2021 ...
> >> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> >>
> >>> What does
> >>> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> >>> mean?
> >>
> >> It means that libclamav found something questionable in data which it
> >> identified as of type JPEG.  It's only reported by clamd if an option
> >> in the configuration is on.  The default is off.
> >> ...
> >> It's not unusual to find broken images in things like a browser cache
> >> and it might not be a concern, but in mail or elsewhere it might mean
> >> that something should be investigated.
> >>
> >> A little more context might help.
> >
> > Yes, I did already look at the C code as something to do with jpeg format.
> > So JFIFdupAppMarker is an attention to something being wrong?
>
> Yes.  The data violates the format specification.  From just that bit
> of information I have I have no idea how likely it is to be malicious.
> Some images are generated on the fly, and the code doing that might be
> less than perfect so you could be seeing a mistake rather than malice.
>
> > And yes I have
> > AlertBrokenMedia yes
> > in clamd.conf
> >
> > Well, I keep looking.
> > I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.
>
> Obviously if it's in email you can easily investigate the source, and
> if it's malicious you can also easily prevent it from being passed to
> any mailbox.  I don't know how common malicious JPEG files are in mail
> but I suspect it's "not very".  Can you tell us more about the source?
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

2021-04-17 Thread Pedro Guedes via clamav-users 
Hi again.

Well, the source ...
.. you known users most of the time have no idea what are doing.
Seems a usual correspondent but,  who knows.
Since mail is responsible for 99% of malware and dirt and
because users hate security, bad for day to day work the only solution
is using clamav-milter whitelist addresses.
Mail is a complete anarchy, no way blocking failed SPF, DKIM signatures,
DMARC, etc
Because no one does anything and so if you block a lot of important
emails block.

Media all around talk about security but no one does nothing.
Even most important banks don't even have DNSSEC and when they have is
incorrect.

Dkim? To much trouble
Dnssec? To much trouble.

And with all he monopoly on the clouds things get even worse

G.W. Haywood via clamav-users  escreveu
no dia sábado, 17/04/2021 à(s) 12:27:
>
> Hi there,
>
> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> > G.W. Haywood via clamav-users ... sábado, 17/04/2021 ...
> >> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
> >>
> >>> What does
> >>> Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> >>> mean?
> >>
> >> It means that libclamav found something questionable in data which it
> >> identified as of type JPEG.  It's only reported by clamd if an option
> >> in the configuration is on.  The default is off.
> >> ...
> >> It's not unusual to find broken images in things like a browser cache
> >> and it might not be a concern, but in mail or elsewhere it might mean
> >> that something should be investigated.
> >>
> >> A little more context might help.
> >
> > Yes, I did already look at the C code as something to do with jpeg format.
> > So JFIFdupAppMarker is an attention to something being wrong?
>
> Yes.  The data violates the format specification.  From just that bit
> of information I have I have no idea how likely it is to be malicious.
> Some images are generated on the fly, and the code doing that might be
> less than perfect so you could be seeing a mistake rather than malice.
>
> > And yes I have
> > AlertBrokenMedia yes
> > in clamd.conf
> >
> > Well, I keep looking.
> > I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.
>
> Obviously if it's in email you can easily investigate the source, and
> if it's malicious you can also easily prevent it from being passed to
> any mailbox.  I don't know how common malicious JPEG files are in mail
> but I suspect it's "not very".  Can you tell us more about the source?
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

2021-04-17 Thread G.W. Haywood via clamav-users 

Hi there,

On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:

G.W. Haywood via clamav-users ... sábado, 17/04/2021 ...

On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:


What does
Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
mean?


It means that libclamav found something questionable in data which it
identified as of type JPEG.  It's only reported by clamd if an option
in the configuration is on.  The default is off.
...
It's not unusual to find broken images in things like a browser cache
and it might not be a concern, but in mail or elsewhere it might mean
that something should be investigated.

A little more context might help.


Yes, I did already look at the C code as something to do with jpeg format.
So JFIFdupAppMarker is an attention to something being wrong?


Yes.  The data violates the format specification.  From just that bit
of information I have I have no idea how likely it is to be malicious.
Some images are generated on the fly, and the code doing that might be
less than perfect so you could be seeing a mistake rather than malice.


And yes I have
AlertBrokenMedia yes
in clamd.conf

Well, I keep looking.
I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.


Obviously if it's in email you can easily investigate the source, and
if it's malicious you can also easily prevent it from being passed to
any mailbox.  I don't know how common malicious JPEG files are in mail
but I suspect it's "not very".  Can you tell us more about the source?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

2021-04-17 Thread Pedro Guedes via clamav-users 
Hi
Thanks for the answer.
Yes, I did already look at the C code as something to do with jpeg format.
So JFIFdupAppMarker is an attention to something being wrong?
And yes I have
AlertBrokenMedia yes
in clamd.conf

Well, I keep looking.
I have ClamAV as a milter in sendmail.cf so this jpeg was in email scanning.




G.W. Haywood via clamav-users  escreveu
no dia sábado, 17/04/2021 à(s) 11:40:
>
> Hi there,
>
> On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:
>
> > What does
> > Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
> > mean?
>
> It means that libclamav found something questionable in data which it
> identified as of type JPEG.  It's only reported by clamd if an option
> in the configuration is on.  The default is off.
>
> 8<--
> $ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker 
> clamav-0.103.2/libclamav/jpeg.c
>
>  if (SCAN_HEURISTIC_BROKEN_MEDIA) {
>  if (found_app && num_JFIF > 0) {
>  cli_warnmsg("JPEG: Duplicate Application Marker 
> found (JFIF)\n");
>  cli_warnmsg("JPEG: Already observed JFIF: %d, 
> Exif: %d, SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
>  cli_append_possibly_unwanted(ctx, 
> "Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
>  status = CL_EPARSE;
>  goto done;
>  }
>  if (!(segment == 1 ||
>(segment == 2 && found_comment) ||
> 8<--
>
> See
>
> https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format
>
> for more information about the format.
>
> It's not unusual to find broken images in things like a browser cache
> and it might not be a concern, but in mail or elsewhere it might mean
> that something should be investigated.
>
> A little more context might help.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

2021-04-17 Thread G.W. Haywood via clamav-users 

Hi there,

On Sat, 17 Apr 2021, Pedro Guedes via clamav-users wrote:


What does
Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
mean?


It means that libclamav found something questionable in data which it
identified as of type JPEG.  It's only reported by clamd if an option
in the configuration is on.  The default is off.

8<--
$ grep -C5 Heuristics.Broken.Media.JPEG.JFIFdupAppMarker 
clamav-0.103.2/libclamav/jpeg.c

if (SCAN_HEURISTIC_BROKEN_MEDIA) {
if (found_app && num_JFIF > 0) {
cli_warnmsg("JPEG: Duplicate Application Marker found 
(JFIF)\n");
cli_warnmsg("JPEG: Already observed JFIF: %d, Exif: %d, 
SPIFF: %d\n", num_JFIF, num_Exif, num_SPIFF);
cli_append_possibly_unwanted(ctx, 
"Heuristics.Broken.Media.JPEG.JFIFdupAppMarker");
status = CL_EPARSE;
goto done;
}
if (!(segment == 1 ||
  (segment == 2 && found_comment) ||
8<--

See

https://en.wikipedia.org/wiki/JPEG_File_Interchange_Format

for more information about the format.

It's not unusual to find broken images in things like a browser cache
and it might not be a concern, but in mail or elsewhere it might mean
that something should be investigated.

A little more context might help.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Heuristics.Broken.Media.JPEG.JFIFdupAppMarker

2021-04-17 Thread Pedro Guedes via clamav-users 
Hi guys
What does
Heuristics.Broken.Media.JPEG.JFIFdupAppMarker
mean?

Thanks
Pedro

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml